Correlation Rules - How to generate one alert per match

[pwhitney5524]

Hello everyone,

I am currently sending Entra ID audit logs to an Azure EventHub which is connected to UTMStack via the integration.

I created custom correlation rules in the hopes of creating an alert for every time a log is detected that has the operationname "User deleted security info" or "User registered security info".

I tested it by adding and deleting multiple different authentication methods for my account on Microsoft but only one alert for the deletions and one alert of the registrations were created and all subsequent logs were registered under those two alerts.

It would be important to have an alert created for each log that comes in that matches the correlation rules.

Here are the two custom rules:

Rule version v1.0.0

• name: "Entra ID - Authentication Method (MFA)added"
  severity: High
  description: "An authentication method (MFA device) was added to an Entra ID account. This could be a result of a possible
  Office 365 authentication token theft and needs to be investigated urgently"
  solution: "Verify with the user in question whether or not the new authentication method was added by him/her."
  category: "MFA Management"
  dataTypes: ["azure"]
  frequency: 60
  cache:
  • allOf:
    • field: "logx.azure.category"
      operator: "=="
      value: "AuditLogs"
    • field: "logx.azure.properties.category"
      operator: "=="
      value: "UserManagement"
    • field: "logx.azure.properties.operationName"
      operator: "::"
      value: "User registered security info"
      timeLapse: 60
      minCount: 1

Rule version v1.0.1

• name: "Entra ID - Authentication Method (MFA)deleted"
  severity: High
  description: "An authentication method (MFA device) was deleted to an Entra ID account. This could be a result of a possible
  Office 365 authentication token theft and needs to be investigated urgently"
  solution: "Verify with the user in question whether or not the new authentication method was deleted by him/her."
  category: "MFA Management"
  dataTypes: ["azure"]
  frequency: 60
  cache:
  • allOf:
    • field: "logx.azure.category"
      operator: "=="
      value: "AuditLogs"
    • field: "logx.azure.properties.category"
      operator: "=="
      value: "UserManagement"
    • field: "logx.azure.properties.operationName"
      operator: "::"
      value: "User deleted security info"
      timeLapse: 60
      minCount: 1
      save:
    • field: "logx.azure.initiatedBy.user.userPrincipalName"
      alias: "USERNAME"
    • field: "logx.azure.initiatedBy.user.ipAddress"
      alias: "SOURCE_IP"
    • field: "logx.azure.properties.activityDateTime"
      alias: "Timestamp"

Can anyone help resolve this?

[agauttam]

I would like to have a look on log samples, as both the rules are same.

[pwhitney5524]

I apologize for the confusion.

These are two different custom rules. One is for deletion of security info and the other for the registration of security info.

Basically, both rules work except they only seem to be generating one alert per day and then adding all logs for that day under the same alert (whether it is for the same user or not).

What we want is that for every log that comes in, whether it is for the same user or not, to have a new alert created (for every instance).

Is it possible an if so, how?

[uj]

This appears to be the same issue I am having: #1356

I didn't realize that the subsuquent events were actually being logged into the original alert, but yes, they are. If I go to "related logs" under the alert, all of the "missing" alerts are showing logs there.

I really need to receive an alert for every matching log. Otherwise, events throughout the day are getting overlooked because there are no alerts.

I'm thinking this is part of the new feature here #1167, but I'm not sure.