Link to Rule

Rule Tuning Type

False Positives - Reducing benign events mistakenly identified as threats.

Description

Rule needs tuned as it generates a high volume of false-positives and noise.

• source.as.organization.name != "MICROSOFT-CORP-MSN-as-BLOCK" --> This needs fixed and is causing MSFT sources to flag this because of as instead of AS
• We need to aggregate on session ID, App ID and User ID and remove the truncation window. The window does a general bucketing of any sign-in and graph events, thus it is correlating irrelevant events.
• We need to confirm that the activity happened within the same day. While the timeframe of the query should ensure this, we should be include it explicitly
• We have a long list of the top first-party client IDs from existing alerts. Some of these can be ignored and are not used for phishing activity.
• We need to ensure that between sign-in and graph activity, only one app ID is identified. A lot of noise is generated by multiple first-party apps using the same session for the user. The phishing to graph access should report one specific first-party client ID.
• We should add the Graph auth scopes for hunting/tuning and customer visibility. Same thing with the Graph URL requests seen.

Example Data

No response