Azure-Sentinel icon indicating copy to clipboard operation
Azure-Sentinel copied to clipboard
verified publisher icon Azure

Adding analytics rule for subscription migration

Open ccmsft opened this issue 2 years ago • 16 comments

Change(s):

  • Adding an analytics rule to detect when a subscription is moved to another tenant.

Reason for Change(s):

  • New rule.

Version Updated:

  • Adding version 1.0.0

Testing Completed:

  • Tested on local tenants by moving subscriptions between them.

Checked that the validations are passing and have addressed any issues that are present:

  • Validated yaml.

ccmsft avatar Feb 10 '23 19:02 ccmsft

hey @ccmsft, can you please resolve the comments, thanks.

v-sabiraj avatar Feb 20 '23 09:02 v-sabiraj

@ccmsft, can you please fix the comments, thanks.

v-sabiraj avatar Feb 24 '23 06:02 v-sabiraj

Addressed the comments. Lowered severity, optimized query logic.

ccmsft avatar Mar 01 '23 12:03 ccmsft

@ccmsft Can you please confirm if we require subscription id to be mapped twice?

devikamehra avatar Mar 03 '23 08:03 devikamehra

@ccmsft, can you please address the comments.

v-sabiraj avatar Mar 08 '23 07:03 v-sabiraj

Confirmed. The built-in mapping is not reliable since the resource has left your tenant. However, if/when this issue is resolved, the built-in reference is preferred. So I have both for now.

ccmsft avatar Mar 08 '23 12:03 ccmsft

@ccmsft, can you please check comments added.

v-sabiraj avatar Mar 17 '23 06:03 v-sabiraj

@devikamehra, can you please check and confirm on this, thanks.

v-sabiraj avatar Mar 29 '23 05:03 v-sabiraj

@ccmsft We have recently made quality improvements to our queries in Azure Activity space as well. Can you please align the query in accordance to these changes?

This will help us safe the re-work of improving it later.

I think that should address the earlier comment of empty EventCapture as well

devikamehra avatar Mar 29 '23 08:03 devikamehra

Hi @ccmsft, please respond to the comments above. Thanks

v-atulyadav avatar Mar 31 '23 04:03 v-atulyadav

Hello @ccmsft any updates on the above comments

v-prasadboke avatar Apr 05 '23 01:04 v-prasadboke

It wasn't clear to me exactly what quality improvements were required so I looked at a few updated queries and adjusted mine accordingly.

ccmsft avatar Apr 13 '23 14:04 ccmsft

Hello @v-sabiraj please look into this

v-prasadboke avatar Apr 18 '23 14:04 v-prasadboke

Hello @v-sabiraj please look into this

v-prasadboke avatar Apr 25 '23 11:04 v-prasadboke

Helllo @v-sabiraj waiting for your reply

v-prasadboke avatar Apr 27 '23 11:04 v-prasadboke

Hello @vakohl / @v-sabiraj please provide your update on this

v-prasadboke avatar May 03 '23 05:05 v-prasadboke

Hello @v-sabiraj waiting for your updates

v-prasadboke avatar May 05 '23 05:05 v-prasadboke

Hello @v-sabiraj waiting for your feedback

v-prasadboke avatar May 09 '23 12:05 v-prasadboke

Hello @vakohl, @ccmsft has made some changes

v-prasadboke avatar May 18 '23 16:05 v-prasadboke