[Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows

rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/08/12"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Austin Songer"]
@@ -19,8 +19,8 @@ false_positives = [
     rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Full Network Packet Capture Detected"

rules/integrations/azure/credential_access_storage_account_key_regenerated.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/19"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -18,8 +18,8 @@ false_positives = [
     or locations should be investigated.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Storage Account Key Regenerated"

rules/integrations/azure/defense_evasion_azure_automation_runbook_deleted.toml

@@ -2,16 +2,16 @@
 creation_date = "2020/09/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
 disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
 """
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Runbook Deleted"

rules/integrations/azure/defense_evasion_azure_blob_permissions_modified.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/09/22"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Austin Songer"]
@@ -17,7 +17,8 @@ false_positives = [
     Exceptions can be added to this rule to filter expected behavior.
     """,
 ]
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Blob Permissions Modification"

rules/integrations/azure/defense_evasion_azure_diagnostic_settings_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -18,8 +18,8 @@ false_positives = [
     from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Diagnostic Settings Deletion"

rules/integrations/azure/defense_evasion_event_hub_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -17,8 +17,8 @@ false_positives = [
     be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Event Hub Deletion"

rules/integrations/azure/defense_evasion_firewall_policy_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -17,8 +17,8 @@ false_positives = [
     hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Firewall Policy Deletion"

rules/integrations/azure/defense_evasion_frontdoor_firewall_policy_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/08/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Austin Songer"]
@@ -19,8 +19,8 @@ false_positives = [
     is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Frontdoor Web Application Firewall (WAF) Policy Deleted"

rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Austin Songer"]
@@ -18,8 +18,8 @@ false_positives = [
     investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Kubernetes Events Deleted"

rules/integrations/azure/defense_evasion_network_watcher_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/31"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Elastic"]
@@ -18,8 +18,8 @@ false_positives = [
     hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Network Watcher Deletion"

rules/integrations/azure/defense_evasion_suppression_rule_created.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/08/27"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Austin Songer"]
@@ -18,8 +18,8 @@ false_positives = [
     should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Alert Suppression Rule Created or Modified"

rules/integrations/azure/discovery_blob_container_access_mod.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/20"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -17,8 +17,8 @@ false_positives = [
     or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Blob Container Access Level Modification"

rules/integrations/azure/execution_azure_automation_runbook_created_or_modified.toml

@@ -2,16 +2,16 @@
 creation_date = "2020/08/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
 description = """
 Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
 Automation runbook to execute malicious code and maintain persistence in their target's environment.
 """
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Automation Runbook Created or Modified"

rules/integrations/azure/execution_command_virtual_machine.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -20,8 +20,8 @@ false_positives = [
     from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Command Execution on Virtual Machine"

rules/integrations/azure/impact_kubernetes_pod_deleted.toml

@@ -2,7 +2,7 @@
 creation_date = "2021/06/24"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Austin Songer"]
@@ -17,8 +17,8 @@ false_positives = [
     behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Kubernetes Pods Deleted"

rules/integrations/azure/impact_resource_group_deletion.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/08/17"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/01/15"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Elastic"]
@@ -19,8 +19,8 @@ false_positives = [
     from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.activitylogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Resource Group Deletion"

rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

@@ -2,16 +2,16 @@
 creation_date = "2021/10/18"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Austin Songer"]
 description = """
 Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning
 and heuristics.
 """
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.signinlogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory High Risk User Sign-in Heuristic"

rules/integrations/azure/initial_access_azure_active_directory_powershell_signin.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/12/14"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -17,8 +17,8 @@ false_positives = [
     investigated. If known behavior is causing false positives, it can be exempted from the rule.
     """,
 ]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
+from = "now-9m"
+index = ["logs-azure.signinlogs-*", "filebeat-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Azure Active Directory PowerShell Sign-in"

rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

@@ -2,7 +2,7 @@
 creation_date = "2020/09/01"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/08"
+updated_date = "2025/09/26"
 
 [rule]
 author = ["Elastic"]
@@ -13,7 +13,7 @@ accomplished by tricking a user into granting consent to the application, typica
 establishes an OAuth grant that allows the malicious client applocation to access resources on-behalf-of the user.
 """
 from = "now-9m"
-index = ["logs-azure*"]
+index = ["logs-azure.auditlogs-*"]
 language = "kuery"
 license = "Elastic License v2"
 name = "Microsoft Entra ID Illicit Consent Grant via Registered Application"

rules/integrations/azure/initial_access_entra_oauth_phishing_via_vscode_client.toml

@@ -2,7 +2,7 @@
 creation_date = "2025/04/23"
 integration = ["azure"]
 maturity = "production"
-updated_date = "2025/09/26"
+updated_date = "2025/09/30"
 
 [rule]
 author = ["Elastic"]
@@ -15,7 +15,7 @@ Insiders redirect location, prompting victims to return an OAuth authorization c
 tokens. This rule may help identify unauthorized use of the VS Code OAuth flow as part of social engineering or
 credential phishing activity.
 """
-from = "now-25m"
+from = "now-9m"
 index = ["filebeat-*", "logs-azure.signinlogs-*"]
 language = "kuery"
 license = "Elastic License v2"