Azure Content Package
Common Azure services data (e.g. Azure Activity, Azure Security Center, Azure Firewall, etc.).
For a quickstart guide on how to enable Data Connectors / Analytics Rules / Workbooks, click here.
Connectors
- Azure Activity
- Azure Security Center
- Azure Security Center for IoT
- Azure Active Directory
- Azure Firewall
- Azure Web Application Firewall
- Security Events
Analytics
- Advanced Multistage Attack Detection
- Suspicious number of resource creation or deployment activies
- Suspicious granting of permissions to an account
- Process execution frequency anomaly
- RDP Nesting
- Security Event log cleared
- Group added to built in domain local or global group
- Powershell Empire cmdlets seen in command line
- User account enabled and disabled within 10 mins
- Rare RDP Connections
- Scheduled Security Events
- AD account with don't expire password - disabled
- Known Phosphorus group domains/IP
- Known IRIDIUM IP
- Known GALLIUM domains and hashes
- Known Strontium group domains
- Anomalous sign-in location by user account and authenticating application
- Suspicious application consent similar to PwnAuth
- Distributed Password cracking attempts in AzureAD
- Sign-ins from IPs that attempt sign-ins to disabled accounts
Workbooks
- Security Operations Efficiency
- Azure Activity
- ASC Compliance and Protection
- Azure AD Audit, Activity and Sign-in logs
- Insecure Protocols
- Identity & Access