Within this release, we made modifications to the Threat Intel MATCH-S00815 Rule to include the user_username associated with the 'src_Device_ip' to capture the account the threat IP authenticated with and to correlate on actions by the account. We also made a modification to the Azure Sign in Log mapper so that 'properties.userAgent' is mapped to the entity field 'http_userAgent'.
Rules
- [Updated] MATCH-S00815 Threat Intel - Successful Authentication from Threat IP
Log Mappers
- [Updated] AzureActivityLog 01