Hello, i am looking to build more detections in our environment. But i am curious what detections rule are yall setting up today & possibly what are those queries?
Azure “Risky Users” has been a lifesaver for us. So much easier to investigate these inside of the SIEM with our other log correlation rather than have 47 Microsoft Admin Centers open trying to look for the data you need.
Hello, I somewhat understand hat you mean. Is this related with the integration of Azure AD?
Corect? Can you share some queries? if you done mind
Yes. These come from our Azure AD to InsightIDR connection. I’d share the query but we are using different variables based on our log conditions, but it will be something like this:
riskLevelDuringSignIn = “Medium”
OR
riskLevelDuringSignIn = “High”