Description
Link to Rule
Rule Tuning Type
None
Description
This rule needs to be tuned for the following reasons:
- Extremely noisy in global alert telemetry, often most alerts are FPs
- Whitelisted client application IDs need to be expanded and adjusted based on commonality across clusters alerts are pulled from
- Needs to have the user types and login types adjusted to be user specific, not service principal or service, etc.
- Should be tuned to focus solely on access that is bind audited
- Reduce time window for New Terms to 14 days to increase performance
Example Data
No response