elastic · terrancedejesus · Aug 28, 2025 · Aug 28, 2025 · Aug 29, 2025 · Aug 29, 2025
diff --git a/...s/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml b/...s/_deprecated/credential_access_entra_signin_brute_force_microsoft_365_repeat_source.toml
@@ -73,7 +73,7 @@ tags = [
     "Domain: SaaS",
     "Data Source: Azure",
     "Data Source: Entra ID",
-    "Data Source: Entra ID Sign-in",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",

diff --git a/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml b/rules/cross-platform/initial_access_azure_o365_with_network_alert.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/04/29"
 integration = ["azure", "o365"]
 maturity = "production"
-updated_date = "2025/07/30"
+updated_date = "2025/08/29"
 
 [rule]
 author = ["Elastic"]
@@ -17,12 +17,13 @@ false_positives = [
     """,
 ]
 from = "now-60m"
+interval = "59m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 or Entra ID Sign-in from a Suspicious Source"
+name = "Entra ID Sign-in from a Suspicious Source"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 or Entra ID Sign-in from a Suspicious Source
+### Investigating Entra ID Sign-in from a Suspicious Source
 
 #### Possible investigation steps
 
@@ -61,10 +62,10 @@ rule_id = "f0cc239b-67fa-46fc-89d4-f861753a40f5"
 severity = "high"
 tags = [
     "Domain: Cloud",
-    "Domain: SaaS",
+    "Domain: IAM",
     "Data Source: Azure",
-    "Data Source: Entra ID",
-    "Data Source: Entra ID Sign-in Logs",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Data Source: Microsoft 365",
     "Data Source: Microsoft 365 Audit Logs",
     "Use Case: Identity and Access Audit",

diff --git a/...sharepoint_access_for_user_principal.toml → ...sharepoint_access_for_user_principal.toml b/...sharepoint_access_for_user_principal.toml → ...sharepoint_access_for_user_principal.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/07"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -30,10 +30,10 @@ from = "now-9m"
 index = ["logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Microsoft Entra ID SharePoint Access for User Principal via Auth Broker"
+name = "Entra ID SharePoint Accessed by Rare User with Microsoft Authentication Broker Client"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID SharePoint Access for User Principal via Auth Broker
+### Investigating Entra ID SharePoint Access for User Principal via Auth Broker
 
 This rule identifies non-interactive sign-ins to SharePoint Online via the Microsoft Authentication Broker application using a refresh token or Primary Refresh Token (PRT). This type of activity may indicate token replay attacks, OAuth abuse, or automated access from previously consented apps or stolen sessions.
 
@@ -82,12 +82,14 @@ To use this rule, ensure that Microsoft Entra ID Sign-In Logs are being collecte
 severity = "high"
 tags = [
     "Domain: Cloud",
+    "Domain: IAM",
     "Use Case: Identity and Access Audit",
     "Tactic: Collection",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
     "Data Source: Microsoft Entra ID Sign-in Logs",
     "Resources: Investigation Guide",
+    "Platform: Microsoft Entra ID",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"

diff --git a/...ollection_update_event_hub_auth_rule.toml → ...lection_event_hub_created_or_updated.toml b/...ollection_update_event_hub_auth_rule.toml → ...lection_event_hub_created_or_updated.toml
@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ false_positives = [
     """,
 ]
 from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+index = ["filebeat-*", "logs-azure.activitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Event Hub Authorization Rule Created or Updated"
@@ -59,15 +59,23 @@ Azure Event Hub Authorization Rules manage access to Event Hubs via cryptographi
 - Escalate the incident to the security operations team for further investigation and to determine if additional systems or data have been compromised.
 - Conduct a security review of all Event Hub Authorization Rules to ensure that only necessary permissions are granted and that the RootManageSharedAccessKey is not used in applications.
 - Enhance monitoring and alerting for changes to authorization rules by integrating with a Security Information and Event Management (SIEM) system to detect similar threats in the future.
-
-## Setup
-
-The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+"""
 references = ["https://docs.microsoft.com/en-us/azure/event-hubs/authorize-access-shared-access-signature"]
 risk_score = 47
 rule_id = "b6dce542-2b75-4ffb-b7d6-38787298ba9d"
 severity = "medium"
-tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Log Auditing", "Tactic: Collection", "Resources: Investigation Guide"]
+tags = [
+    "Domain: Cloud",
+    "Domain: Storage",
+    "Data Source: Azure",
+    "Data Source: Azure Activity Logs",
+    "Use Case: Log Auditing",
+    "Tactic: Collection",
+    "Resources: Investigation Guide",
+    "Service: Azure Event Hub",
+    "Service: Azure Storage",
+    "Platform: Azure",
+]
 timestamp_override = "event.ingested"
 type = "query"
 

diff --git a/.../integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml b/.../integrations/azure/collection_graph_email_access_by_unusual_public_client_via_graph.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/05/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/05/06"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -18,7 +18,7 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.graphactivitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Suspicious Email Access by First-Party Application via Microsoft Graph"
+name = "Microsoft Graph Request Email Access by User with Rare Client"
 note = """## Triage and analysis
 
 ### Investigating Suspicious Email Access by First-Party Application via Microsoft Graph
@@ -67,12 +67,16 @@ rule_id = "e882e934-2aaa-11f0-8272-f661ea17fbcc"
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: IAM",
+    "Domain: Email",
     "Data Source: Azure",
     "Data Source: Microsoft Graph",
     "Data Source: Microsoft Graph Activity Logs",
     "Use Case: Threat Detection",
     "Tactic: Collection",
     "Resources: Investigation Guide",
+    "Service: Microsoft Graph",
+    "Platform: Azure",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"

diff --git a/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml b/rules/integrations/azure/credential_access_entra_id_brute_force_activity.toml
@@ -4,7 +4,7 @@ integration = ["azure"]
 maturity = "production"
 min_stack_comments = "Elastic ESQL values aggregation is more performant in 8.16.5 and above."
 min_stack_version = "8.17.0"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -25,10 +25,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Sign-In Brute Force Activity"
+name = "Entra ID User Sign-In Brute Force Attempted"
 note = """## Triage and analysis
 
-### Investigating Microsoft Entra ID Sign-In Brute Force Activity
+### Investigating Entra ID Sign-In Brute Force Activity
 
 This rule detects brute-force authentication activity in Entra ID sign-in logs. It classifies failed sign-in attempts into behavior types such as password spraying, credential stuffing, or password guessing. The classification (`bf_type`) helps prioritize triage and incident response.
 
@@ -77,14 +77,15 @@ rule_id = "cca64114-fb8b-11ef-86e2-f661ea17fbce"
 severity = "medium"
 tags = [
     "Domain: Cloud",
-    "Domain: Identity",
+    "Domain: IAM",
     "Data Source: Azure",
-    "Data Source: Entra ID",
-    "Data Source: Entra ID Sign-in Logs",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",
+    "Platform: Microsoft Entra ID",
 ]
 timestamp_override = "event.ingested"
 type = "esql"

diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "Entra ID Device Code Auth with Broker Client"
+name = "Entra ID OAuth Device Code Grant by Microsoft Authentication Broker"
 references =[
     "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf",
     "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in",
@@ -27,11 +27,14 @@ This rule optionally requires Azure Sign-In logs from the Azure integration. Ens
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: IAM",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",
+    "Platform: Microsoft Entra ID",
 ]
 timestamp_override = "event.ingested"
 type = "query"
@@ -49,7 +52,7 @@ note = """## Triage and analysis
 > **Disclaimer**:
 > This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
 
-### Investigating Entra ID Device Code Auth with Broker Client
+### Investigating Entra ID OAuth Device Code Grant from Microsoft Authentication Broker Client
 
 Entra ID Device Code Authentication allows users to authenticate devices using a code, facilitating seamless access to Azure resources. Adversaries exploit this by compromising Primary Refresh Tokens (PRTs) to bypass multi-factor authentication and Conditional Access policies. The detection rule identifies unauthorized access attempts by monitoring successful sign-ins using device code authentication linked to a specific broker client application ID, flagging potential misuse.
 

diff --git a/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml b/rules/integrations/azure/credential_access_entra_id_excessive_account_lockouts.toml
@@ -2,7 +2,7 @@
 creation_date = "2025/07/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -21,7 +21,7 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft Entra ID Exccessive Account Lockouts Detected"
+name = "Entra ID Excessive Account Lockouts Detected"
 note = """## Triage and analysis
 
 ### Investigating Microsoft Entra ID Exccessive Account Lockouts Detected
@@ -71,14 +71,15 @@ rule_id = "2d6f5332-42ea-11f0-b09a-f661ea17fbcd"
 severity = "high"
 tags = [
     "Domain: Cloud",
-    "Domain: Identity",
+    "Domain: IAM",
     "Data Source: Azure",
-    "Data Source: Entra ID",
-    "Data Source: Entra ID Sign-in Logs",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",
+    "Platform: Microsoft Entra ID",
 ]
 timestamp_override = "event.ingested"
 type = "esql"

diff --git a/...ess_first_time_seen_device_code_auth.toml → ..._id_first_time_seen_device_code_auth.toml b/...ess_first_time_seen_device_code_auth.toml → ..._id_first_time_seen_device_code_auth.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/10/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/02/21"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic", "Matteo Potito Giorgio"]
@@ -16,7 +16,7 @@ from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"]
 language = "kuery"
 license = "Elastic License v2"
-name = "First Occurrence of Entra ID Auth via DeviceCode Protocol"
+name = "Entra ID OAuth Device Code Grant by Rare User"
 note = """## Triage and analysis
 
 ### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol
@@ -86,11 +86,14 @@ setup = "This rule optionally requires Azure Sign-In logs from the Azure integra
 severity = "medium"
 tags = [
     "Domain: Cloud",
+    "Domain: IAM",
     "Data Source: Azure",
     "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",
+    "Platform: Microsoft Entra ID",
 ]
 timestamp_override = "event.ingested"
 type = "new_terms"

diff --git a/...tra_signin_brute_force_microsoft_365.toml → ..._id_signin_brute_force_microsoft_365.toml b/...tra_signin_brute_force_microsoft_365.toml → ..._id_signin_brute_force_microsoft_365.toml
@@ -2,7 +2,7 @@
 creation_date = "2024/09/06"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/07/16"
+updated_date = "2025/08/28"
 
 [rule]
 author = ["Elastic"]
@@ -23,10 +23,10 @@ from = "now-60m"
 interval = "15m"
 language = "esql"
 license = "Elastic License v2"
-name = "Microsoft 365 Brute Force via Entra ID Sign-Ins"
+name = "Microsoft 365 Brute Force Attempted (Entra ID Sign-ins)"
 note = """## Triage and analysis
 
-### Investigating Microsoft 365 Brute Force via Entra ID Sign-Ins
+### Investigating Microsoft 365 Brute Force via Entra ID Sign-ins
 
 Identifies brute-force authentication activity against Microsoft 365 services using Entra ID sign-in logs. This detection groups and classifies failed sign-in attempts based on behavior indicative of password spraying, credential stuffing, or password guessing. The classification (`bf_type`) is included for immediate triage.
 
@@ -74,15 +74,15 @@ rule_id = "35ab3cfa-6c67-11ef-ab4d-f661ea17fbcc"
 severity = "medium"
 tags = [
     "Domain: Cloud",
-    "Domain: SaaS",
-    "Domain: Identity",
+    "Domain: IAM",
     "Data Source: Azure",
-    "Data Source: Entra ID",
-    "Data Source: Entra ID Sign-in Logs",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Sign-in Logs",
     "Use Case: Identity and Access Audit",
     "Use Case: Threat Detection",
     "Tactic: Credential Access",
     "Resources: Investigation Guide",
+    "Platform: Microsoft Entra ID",
 ]
 timestamp_override = "event.ingested"
 type = "esql"