pkhabazi/AlertRules.yaml

## AlertRules.yaml
Scheduled:
  - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee
    displayname: Suspect Application Consent
    description: |
      This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this.
      This could indicate that permissions to access the listed Azure App were provided to a malicious actor.
      Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.
      This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth
      For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
    severity: High
    requiredDataConnectors:
      - connectorId: AzureActiveDirectory
        dataTypes:
          - AuditLogs
    queryFrequency: 2H
    queryPeriod: 7H
    triggerOperator: GreaterThan
    triggerThreshold: 3
    tactics:
      - Persistence
      - LateralMovement
      - Collection
    playbookName: Playbook01
    query: |
      AzureActivity

  - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee
    displayname: Suspect Application Consent 02
    description: |
      This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this.
      This could indicate that permissions to access the listed Azure App were provided to a malicious actor.
      Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.
      This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth
      For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
    severity: High
    requiredDataConnectors:
      - connectorId: AzureActiveDirectory
        dataTypes:
          - AuditLogs
    queryFrequency: 2H
    queryPeriod: 7H
    triggerOperator: GreaterThan
    triggerThreshold: 3
    tactics:
      - Persistence
      - LateralMovement
      - Collection
    playbookName: Playbook01
    query: |
      AzureActivity

## Get-AzSentinelDataConnector.md

      
    Raw
  

              Get-AzSentinelDataConnector.md
            
          
    Get Azure Sentinel Data connector
SYNTAX

Get-AzSentinelDataConnector [-SubscriptionId <String>] -WorkspaceName <String> [-DataConnectorName <String[]>]
 [<CommonParameters>]

DESCRIPTION

With this function you can get Azure Sentinel data connectors that are enabled on the workspace
EXAMPLES

EXAMPLE 1

Get-AzSentinelDataConnector -WorkspaceName ""
List all  enabled dataconnector

EXAMPLE 2

Get-AzSentinelDataConnector -WorkspaceName "" -DataConnectorName "",""
Get specific dataconnectors
	Scheduled:
	- id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee
	displayname: Suspect Application Consent
	description: \|
	This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this.
	This could indicate that permissions to access the listed Azure App were provided to a malicious actor.
	Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.
	This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth
	For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
	severity: High
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- AuditLogs
	queryFrequency: 2H
	queryPeriod: 7H
	triggerOperator: GreaterThan
	triggerThreshold: 3
	tactics:
	- Persistence
	- LateralMovement
	- Collection
	playbookName: Playbook01
	query: \|
	AzureActivity

	- id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee
	displayname: Suspect Application Consent 02
	description: \|
	This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this.
	This could indicate that permissions to access the listed Azure App were provided to a malicious actor.
	Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events.
	This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth
	For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities
	severity: High
	requiredDataConnectors:
	- connectorId: AzureActiveDirectory
	dataTypes:
	- AuditLogs
	queryFrequency: 2H
	queryPeriod: 7H
	triggerOperator: GreaterThan
	triggerThreshold: 3
	tactics:
	- Persistence
	- LateralMovement
	- Collection
	playbookName: Playbook01
	query: \|
	AzureActivity