Solutions/Microsoft Entra ID/Analytic Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml

[ksinghd09]

See the path for code in title of this issue.
This query generates duplicate incidents every 2 hours when analytic rule runs. please suggest the fix for it.

[v-rusraut]

Hi @ksinghd09, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates by 15-06-2024 Thanks!

[v-rusraut]

Hi @ksinghd09,
We are working on reproduce the issue, we will update you

[v-sudkharat]

Hi @ksinghd09, We had a discussion with concern team for this issue, And team want to check, In your environment only this rule has been configured - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml And not this one, which having same name - https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Analytic%20Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml

Due to the name collision of both the rule it may have duplicate incident, but could you please confirm and let us know, so we can share this update with team. Thanks!

[v-sudkharat]

Hi @ksinghd09, Waiting for your response on above comment. Thanks!

[v-sudkharat]

Hi @ksinghd09, Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 22-07-2024 date, we will be closing this issue.
Thanks!

[ksinghd09]

Thanks for getting back, we have created custom analytic rule for our environment, It would trigger an alert by searching Audit logs table instead of IdentityInfo table.

[v-sudkharat]

Hey @ksinghd09, The audit logs table are used in rule -https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business%20Email%20Compromise%20-%20Financial%20Fraud/Analytic%20Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml, So could you please check and confirm if the created customer rule is using above rule, and not the one which you have mentioned into the issue title itself- https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml
As mentioned in comment #10617 (comment), if both the rule gets configured then, due to name collision the duplicates incident gets created. Thanks!

[v-sudkharat]

@ksinghd09, waiting for your response. Thanks!

[v-sudkharat]

Hi @ksinghd09 , Gentle Reminder: We are waiting for your response on this issue. If you still need to keep this issue active, please respond to it in the next 2 days. If we don't receive a response by 09-08-2024 date, we will be closing this issue.
Thanks!

[v-sudkharat]

Hi @ksinghd09, since we have not received a response in the last 5 days, we are closing your issue as per our standard operating procedures. If you still need support for this issue, feel free to re-open at any time. Thank you for your co-operation.