elastic · terrancedejesus · Aug 28, 2025 · Aug 28, 2025 · Aug 29, 2025 · Aug 29, 2025
diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/08/29"
 
 [rule]
 author = ["Elastic"]
@@ -17,12 +17,13 @@ false_positives = [
     """,
 ]
 from = "now-60m"
+interval = "59m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
+name = "M365 or Entra ID Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating M365 or Entra ID Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 
@@ -63,7 +64,7 @@ tags = [
     "Domain: Cloud",
     "Domain: SaaS",
     "Data Source: Azure",
-    "Data Source: Entra ID",
+    "Data Source: Microsoft Entra ID",
     "Data Source: Entra ID Sign-in Logs",
     "Data Source: Microsoft 365",
     "Data Source: Microsoft 365 Audit Logs",

diff --git a/...sharepoint_access_for_user_principal.toml → ...sharepoint_access_for_user_principal.toml b/...sharepoint_access_for_user_principal.toml → ...sharepoint_access_for_user_principal.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/07"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
+name = "Entra ID SharePoint Access for User Principal via Auth Broker"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
+### Investigating Entra ID SharePoint Access for User Principal via Auth Broker
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 
@@ -82,6 +82,7 @@ To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collecte
 severity = "high"
 tags = [
     "Domain: Cloud",
+    "Domain: Identity",
     "Use Case: Identity and Access Audit",
     "Tactic: Collection",
     "Data Source: Azure",

diff --git a/...ollection_update_event_hub_auth_rule.toml → ...lection_event_hub_created_or_updated.toml b/...ollection_update_event_hub_auth_rule.toml → ...lection_event_hub_created_or_updated.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ false_positives = [
     """,
 ]
 from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+index = ["filebeat-*", "logs-azure.activitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Azure Event Hub Authorization Rule Created or Updated"
+name = "Event Hub Authorization Rule Created or Updated"
 note = """## Triage and analysis
 
 > **Disclaimer**:
@@ -59,15 +59,20 @@ Azure Event Hub Authorization Rules manage access to Event Hubs via cryptographi
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.
 - Conduct a security review of all Event Hub Authorization Rules to ensure that only necessary permissions are granted and that the RootManageSharedAccessKey is not used in applications.
 - Enhance monitoring and alerting for changes to authorization rules by integrating with a Security Information and Event Management (SIEM) system to detect similar threats in the future.
-
-## Setup
-
-The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+"""
 references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
 risk_score = 47
 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
 severity = "medium"
-tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Domain: Storage",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Use Case: Log Auditing",
+    "Tactic: Collection",
+    "Resources: Investigation Guide",
+]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/.../integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/.../integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/06"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+name = "Graph Suspicious Email Access by First-Party Application via Microsoft Graph"
 note = """## Triage and analysis
 
 ### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
@@ -67,6 +67,8 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc"
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: SaaS",
+    "Domain: Email",
     "Data Source: Azure",
     "Data Source: Microsoft Graph",
     "Data Source: Microsoft Graph Activity Logs",

diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -4,7 +4,7 @@ integration = ["azure"]
 maturity = "production"
 min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above."
 min_stack_version = "8.17.0"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -25,10 +25,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Sign-In Brute Force Activity"
+name = "Entra ID Sign-In Brute Force Activity"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Sign-In Brute Force Activity
+### Investigating Entra ID Sign-In Brute Force Activity
 
 This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response.
 
@@ -79,7 +79,7 @@ tags = [
     "Domain: Cloud",
     "Domain: Identity",
     "Data Source: Azure",
-    "Data Source: Entra ID",
+    "Data Source: Microsoft Entra ID",
     "Data Source: Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",

diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -27,8 +27,10 @@ This rule optionally requires Azure Sign-In logs from the Azure integration. Ens
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: Identity",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
+    "Data Source: Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",

diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Exccessive Account Lockouts Detected"
+name = "Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
 ### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected
@@ -73,7 +73,7 @@ tags = [
     "Domain: Cloud",
     "Domain: Identity",
     "Data Source: Azure",
-    "Data Source: Entra ID",
+    "Data Source: Microsoft Entra ID",
     "Data Source: Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",

diff --git a/...ess_first_time_seen_device_code_auth.toml → ..._id_first_time_seen_device_code_auth.toml b/...ess_first_time_seen_device_code_auth.toml → ..._id_first_time_seen_device_code_auth.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/10/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic", "Matteo Potito Giorgio"]
@@ -16,7 +16,7 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
+name = "Entra ID First Occurrence of Auth via DeviceCode Protocol"
 note = """## Triage and analysis
 
 ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
@@ -86,8 +86,10 @@ setup = "This rule optionally requires Azure Sign-In logs from the Azure integra
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: Identity",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
+    "Data Source: Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",

diff --git a/...tra_signin_brute_force_microsoft_365.toml → ..._id_signin_brute_force_microsoft_365.toml b/...tra_signin_brute_force_microsoft_365.toml → ..._id_signin_brute_force_microsoft_365.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -23,7 +23,7 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 Brute Force via Entra ID Sign-Ins"
+name = "M365 Brute Force via Entra ID Sign-Ins"
 note = """## Triage and analysis
 
 ### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins
@@ -77,7 +77,7 @@ tags = [
     "Domain: SaaS",
     "Domain: Identity",
     "Data Source: Azure",
-    "Data Source: Entra ID",
+    "Data Source: Microsoft Entra ID",
     "Data Source: Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",

diff --git a/...access_azure_entra_suspicious_signin.toml → ...al_access_entra_id_suspicious_signin.toml b/...access_azure_entra_suspicious_signin.toml → ...al_access_entra_id_suspicious_signin.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/28"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -20,10 +20,10 @@ false_positives = [
 from = "now-60m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties"
+name = "Entra ID Concurrent Sign-Ins with Suspicious Properties"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Concurrent Sign-Ins with Suspicious Properties
+### Investigating Entra ID Concurrent Sign-Ins with Suspicious Properties
 
 ### Possible investigation steps
 
@@ -56,9 +56,10 @@ This rule requires the Azure logs integration be enabled and configured to colle
 severity = "high"
 tags = [
     "Domain: Cloud",
+    "Domain: Identity",
     "Domain: SaaS",
     "Data Source: Azure",
-    "Data Source: Entra ID",
+    "Data Source: Microsoft Entra ID",
     "Data Source: Entra ID Sign-in",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",

diff --git a/...zure_entra_totp_brute_force_attempts.toml → ...s_entra_id_totp_brute_force_attempts.toml b/...zure_entra_totp_brute_force_attempts.toml → ...s_entra_id_totp_brute_force_attempts.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/12/11"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/31"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -21,10 +21,10 @@ false_positives = [
 from = "now-9m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID MFA TOTP Brute Force Attempts"
+name = "Entra ID MFA TOTP Brute Force Attempts"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID MFA TOTP Brute Force Attempts
+### Investigating Entra ID MFA TOTP Brute Force Attempts
 
 This rule detects brute force attempts against Azure Entra multi-factor authentication (MFA) Time-based One-Time Password (TOTP) verification codes. It identifies high-frequency failed TOTP code attempts for a single user in a short time-span with a high number of distinct session IDs. Adversaries may programmatically attempt to brute-force TOTP codes by generating several sessions and attempting to guess the correct code.
 
@@ -74,7 +74,7 @@ tags = [
     "Domain: Cloud",
     "Domain: Identity",
     "Data Source: Azure",
-    "Data Source: Entra ID",
+    "Data Source: Microsoft Entra ID",
     "Data Source: Entra ID Sign-in logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",

diff --git a/..._azure_key_vault_excessive_retrieval.toml → ...access_key_vault_excessive_retrieval.toml b/..._azure_key_vault_excessive_retrieval.toml → ...access_key_vault_excessive_retrieval.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/10"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/24"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 interval = "8m"
 language = "esql"
 license = "Elastic License v2"
-name = "Excessive Secret or Key Retrieval from Azure Key Vault"
+name = "Key Vault Excessive Secret or Key Retrieval"
 note = """## Triage and analysis
 
-### Investigating Excessive Secret or Key Retrieval from Azure Key Vault
+### Investigating Key Vault Excessive Secret or Key Retrieval
 
 Azure Key Vault is a cloud service that safeguards encryption keys and secrets like certificates, connection strings, and passwords. It is crucial for managing sensitive data in Azure environments. Unauthorized modifications to Key Vaults can lead to data breaches or service disruptions. This rule detects excessive secret or key retrieval operations from Azure Key Vault, which may indicate potential abuse or unauthorized access attempts.
 
@@ -72,11 +72,10 @@ To ensure this rule functions correctly, the following diagnostic logs must be e
 severity = "medium"
 tags = [
     "Domain: Cloud",
-    "Domain: Storage",
     "Domain: Identity",
     "Data Source: Azure",
     "Data Source: Azure Platform Logs",
-    "Data Source: Azure Key Vault",
+    "Data Source: Azure Key Vault Diagnostic Logs",
     "Use Case: Threat Detection",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",