├── .devcontainer └── devcontainer.json ├── .github └── workflows │ ├── build-yaml-rules.yml │ ├── dump-aaguids.yaml │ └── token-theft-demo.yml ├── AnalyticRules ├── NRT User elevated access to User Access Administrator for Azure Resources (MCAS).json ├── NRT User elevated access to User Access Administrator for Azure Resources (MCAS).yaml ├── T1528.Entra.ServicePrincipalAccessTokenReplay.json ├── T1528.Entra.ServicePrincipalAccessTokenReplay.yaml ├── T1531.Entra.HighlyPrivilegedRoleRemoval.json └── T1531.Entra.HighlyPrivilegedRoleRemoval.yaml ├── Assets └── logo.png ├── Detections ├── T1021.007.EntraConnect.ApplicationManagementModifications.md ├── T1528.Entra.ServicePrincipalAccessTokenReplay.md ├── T1531.Entra.HighlyPrivilegedRoleRemoval.md └── T1539.Entra.AzureAiTMPhishing.md ├── LICENSE ├── Playbooks └── Entra-DisableServicePrincipal │ └── LA-DisableServicePrincipal.json ├── Queries ├── Azure-MFA-Enforcement.md ├── Entra-Applications-DelegatedConsent.md ├── Entra-BitLocker-Recovery-Key-Retrieval.md ├── Entra-Conditional-Access-Excluded-Accounts.md ├── Entra-Conditional-Access-Failure-By-Policy.md ├── Entra-Conditional-Access-Not-Applied.md ├── Entra-Cross-Tenant-Access.md ├── Entra-Deprecated-Intune-PowerShell.md ├── Entra-DeviceCode-Authentication.md ├── Entra-FIDO2-Registration.md ├── Entra-Guest-User-Invite.md ├── Entra-ID-Protection-Summary.md ├── Entra-Identity-Protection-Detection-Timing.md ├── Entra-LAPS-Password-Retrieval.md ├── Entra-MFA-Prompts.md ├── Entra-Passkey-Registration.md ├── Entra-Restricted-Administrative-Unit-Device-Added.md ├── Entra-SignInLogs-AuthenticationContextDetails.md ├── Entra-SignInLogs-AuthenticationRequirement.md ├── Entra-SigninLogs-SessionId-Investigation.md ├── Entra-Stale-App-Registrations.md ├── Entra-User-AuthenticationMethod-Change.md ├── Entra-Users-Convert-B2B-Account.md ├── Exposure-Management-Privileged-Account-Exposure.md ├── GitHub-Federated-Credentials-Added-to-Entra-Workload-Identity.md ├── MDE-Entra-Connect-Version.md ├── MDE-LocalGroup-Membership-Change.md ├── MDI-AD-SPNs.md ├── MDI-AZUREADSSOACC-Logon.md ├── Sentinel-ThreatIntelIndicators-Migration.md ├── XDR-Contain-User-Sense.md └── XDR-Raw-Log-Ingestion-Volume-Estimation.md ├── README.md └── Watchlists ├── Entra-ID-PIM-Eligible-Directory-Roles ├── Get-AssignableRoles-Automation.ps1 ├── Get-AssignableRoles.ps1 └── la-pimroleassignments.json └── aaguids.json /.devcontainer/devcontainer.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/.devcontainer/devcontainer.json -------------------------------------------------------------------------------- /.github/workflows/build-yaml-rules.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/.github/workflows/build-yaml-rules.yml -------------------------------------------------------------------------------- /.github/workflows/dump-aaguids.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/.github/workflows/dump-aaguids.yaml -------------------------------------------------------------------------------- /.github/workflows/token-theft-demo.yml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/.github/workflows/token-theft-demo.yml -------------------------------------------------------------------------------- /AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).json -------------------------------------------------------------------------------- /AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/AnalyticRules/NRT User elevated access to User Access Administrator for Azure Resources (MCAS).yaml -------------------------------------------------------------------------------- /AnalyticRules/T1528.Entra.ServicePrincipalAccessTokenReplay.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/AnalyticRules/T1528.Entra.ServicePrincipalAccessTokenReplay.json -------------------------------------------------------------------------------- /AnalyticRules/T1528.Entra.ServicePrincipalAccessTokenReplay.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/AnalyticRules/T1528.Entra.ServicePrincipalAccessTokenReplay.yaml -------------------------------------------------------------------------------- /AnalyticRules/T1531.Entra.HighlyPrivilegedRoleRemoval.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/AnalyticRules/T1531.Entra.HighlyPrivilegedRoleRemoval.json -------------------------------------------------------------------------------- /AnalyticRules/T1531.Entra.HighlyPrivilegedRoleRemoval.yaml: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/AnalyticRules/T1531.Entra.HighlyPrivilegedRoleRemoval.yaml -------------------------------------------------------------------------------- /Assets/logo.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Assets/logo.png -------------------------------------------------------------------------------- /Detections/T1021.007.EntraConnect.ApplicationManagementModifications.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Detections/T1021.007.EntraConnect.ApplicationManagementModifications.md -------------------------------------------------------------------------------- /Detections/T1528.Entra.ServicePrincipalAccessTokenReplay.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Detections/T1528.Entra.ServicePrincipalAccessTokenReplay.md -------------------------------------------------------------------------------- /Detections/T1531.Entra.HighlyPrivilegedRoleRemoval.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Detections/T1531.Entra.HighlyPrivilegedRoleRemoval.md -------------------------------------------------------------------------------- /Detections/T1539.Entra.AzureAiTMPhishing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Detections/T1539.Entra.AzureAiTMPhishing.md -------------------------------------------------------------------------------- /LICENSE: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/LICENSE -------------------------------------------------------------------------------- /Playbooks/Entra-DisableServicePrincipal/LA-DisableServicePrincipal.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Playbooks/Entra-DisableServicePrincipal/LA-DisableServicePrincipal.json -------------------------------------------------------------------------------- /Queries/Azure-MFA-Enforcement.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Azure-MFA-Enforcement.md -------------------------------------------------------------------------------- /Queries/Entra-Applications-DelegatedConsent.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Applications-DelegatedConsent.md -------------------------------------------------------------------------------- /Queries/Entra-BitLocker-Recovery-Key-Retrieval.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-BitLocker-Recovery-Key-Retrieval.md -------------------------------------------------------------------------------- /Queries/Entra-Conditional-Access-Excluded-Accounts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Conditional-Access-Excluded-Accounts.md -------------------------------------------------------------------------------- /Queries/Entra-Conditional-Access-Failure-By-Policy.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Conditional-Access-Failure-By-Policy.md -------------------------------------------------------------------------------- /Queries/Entra-Conditional-Access-Not-Applied.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Conditional-Access-Not-Applied.md -------------------------------------------------------------------------------- /Queries/Entra-Cross-Tenant-Access.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Cross-Tenant-Access.md -------------------------------------------------------------------------------- /Queries/Entra-Deprecated-Intune-PowerShell.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Deprecated-Intune-PowerShell.md -------------------------------------------------------------------------------- /Queries/Entra-DeviceCode-Authentication.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-DeviceCode-Authentication.md -------------------------------------------------------------------------------- /Queries/Entra-FIDO2-Registration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-FIDO2-Registration.md -------------------------------------------------------------------------------- /Queries/Entra-Guest-User-Invite.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Guest-User-Invite.md -------------------------------------------------------------------------------- /Queries/Entra-ID-Protection-Summary.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-ID-Protection-Summary.md -------------------------------------------------------------------------------- /Queries/Entra-Identity-Protection-Detection-Timing.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Identity-Protection-Detection-Timing.md -------------------------------------------------------------------------------- /Queries/Entra-LAPS-Password-Retrieval.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-LAPS-Password-Retrieval.md -------------------------------------------------------------------------------- /Queries/Entra-MFA-Prompts.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-MFA-Prompts.md -------------------------------------------------------------------------------- /Queries/Entra-Passkey-Registration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Passkey-Registration.md -------------------------------------------------------------------------------- /Queries/Entra-Restricted-Administrative-Unit-Device-Added.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Restricted-Administrative-Unit-Device-Added.md -------------------------------------------------------------------------------- /Queries/Entra-SignInLogs-AuthenticationContextDetails.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-SignInLogs-AuthenticationContextDetails.md -------------------------------------------------------------------------------- /Queries/Entra-SignInLogs-AuthenticationRequirement.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-SignInLogs-AuthenticationRequirement.md -------------------------------------------------------------------------------- /Queries/Entra-SigninLogs-SessionId-Investigation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-SigninLogs-SessionId-Investigation.md -------------------------------------------------------------------------------- /Queries/Entra-Stale-App-Registrations.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Stale-App-Registrations.md -------------------------------------------------------------------------------- /Queries/Entra-User-AuthenticationMethod-Change.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-User-AuthenticationMethod-Change.md -------------------------------------------------------------------------------- /Queries/Entra-Users-Convert-B2B-Account.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Entra-Users-Convert-B2B-Account.md -------------------------------------------------------------------------------- /Queries/Exposure-Management-Privileged-Account-Exposure.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Exposure-Management-Privileged-Account-Exposure.md -------------------------------------------------------------------------------- /Queries/GitHub-Federated-Credentials-Added-to-Entra-Workload-Identity.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/GitHub-Federated-Credentials-Added-to-Entra-Workload-Identity.md -------------------------------------------------------------------------------- /Queries/MDE-Entra-Connect-Version.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/MDE-Entra-Connect-Version.md -------------------------------------------------------------------------------- /Queries/MDE-LocalGroup-Membership-Change.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/MDE-LocalGroup-Membership-Change.md -------------------------------------------------------------------------------- /Queries/MDI-AD-SPNs.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/MDI-AD-SPNs.md -------------------------------------------------------------------------------- /Queries/MDI-AZUREADSSOACC-Logon.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/MDI-AZUREADSSOACC-Logon.md -------------------------------------------------------------------------------- /Queries/Sentinel-ThreatIntelIndicators-Migration.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/Sentinel-ThreatIntelIndicators-Migration.md -------------------------------------------------------------------------------- /Queries/XDR-Contain-User-Sense.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/XDR-Contain-User-Sense.md -------------------------------------------------------------------------------- /Queries/XDR-Raw-Log-Ingestion-Volume-Estimation.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Queries/XDR-Raw-Log-Ingestion-Volume-Estimation.md -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/README.md -------------------------------------------------------------------------------- /Watchlists/Entra-ID-PIM-Eligible-Directory-Roles/Get-AssignableRoles-Automation.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Watchlists/Entra-ID-PIM-Eligible-Directory-Roles/Get-AssignableRoles-Automation.ps1 -------------------------------------------------------------------------------- /Watchlists/Entra-ID-PIM-Eligible-Directory-Roles/Get-AssignableRoles.ps1: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Watchlists/Entra-ID-PIM-Eligible-Directory-Roles/Get-AssignableRoles.ps1 -------------------------------------------------------------------------------- /Watchlists/Entra-ID-PIM-Eligible-Directory-Roles/la-pimroleassignments.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Watchlists/Entra-ID-PIM-Eligible-Directory-Roles/la-pimroleassignments.json -------------------------------------------------------------------------------- /Watchlists/aaguids.json: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/nicolonsky/ITDR/HEAD/Watchlists/aaguids.json --------------------------------------------------------------------------------