Add watchlist ConditionalAccessBenignStatusCodes and Update the Conditional Access bypass analytic rule for Microsoft Entra Id#14016
Conversation
- Added guidance for 'ConditionalAccessBenignStatusCodes' watchlist - Updated query to include optional watchlist filtering (commented out by default) - Added documentation note about legitimate failures and tuning thresholds
|
Hello how are you I am GitHub bot |
There was a problem hiding this comment.
Pull request overview
Note
Copilot was unable to run its full agentic suite in this review.
Adds a new Microsoft Sentinel watchlist for benign Conditional Access status codes and updates the “Bypass conditional access rule(s)” analytic rule to optionally filter those known-benign failures and include tuning guidance.
Changes:
- Added
ConditionalAccessBenignStatusCodeswatchlist (ARM template + CSV) for reducing false positives. - Updated
BypassCondAccessRuleto include optional (commented) watchlist-based filtering and expanded rule guidance. - Updated solution manifest to include the new watchlist and updated solution UI/package assets.
Reviewed changes
Copilot reviewed 6 out of 8 changed files in this pull request and generated 4 comments.
Show a summary per file
| File | Description |
|---|---|
| Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.json | Adds an ARM template to deploy the new watchlist into Sentinel. |
| Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.csv | Provides the initial list of benign status codes for the watchlist. |
| Solutions/Microsoft Entra ID/Package/testParameters.json | Updates packaging test parameters for the watchlist (ignored from review per repo guidance). |
| Solutions/Microsoft Entra ID/Package/createUiDefinition.json | Updates installer UI text and adds a Watchlists blade (ignored from review per repo guidance). |
| Solutions/Microsoft Entra ID/Data/Solution_AAD.json | Registers the new watchlist in the solution content manifest. |
| Solutions/Microsoft Entra ID/Analytic Rules/BypassCondAccessRule.yaml | Adds optional watchlist filtering and expands rule description/tuning guidance. |
| "Solutions/Microsoft Entra ID/Playbooks/Revoke-AADSignInSessions/entity-trigger/azuredeploy.json" | ||
| ], | ||
| "Watchlists": [ | ||
| "Watchlists/ConditionalAccessBenignStatusCodes.json" |
There was a problem hiding this comment.
The watchlist path is not consistent with the rest of this solution manifest (which uses paths like Solutions/Microsoft Entra ID/...) while BasePath is set to the repo root. As written, this likely resolves to C:\\GitHub\\Azure-Sentinel\\Watchlists\\... (nonexistent) and will break packaging/validation. Use the repo-root-relative path Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.json, or change BasePath to the solution folder and update all other component paths accordingly.
| "Watchlists/ConditionalAccessBenignStatusCodes.json" | |
| "Solutions/Microsoft Entra ID/Watchlists/ConditionalAccessBenignStatusCodes.json" |
| "BasePath": "C:\\GitHub\\Azure-Sentinel", | ||
| "Version": "3.3.6", |
There was a problem hiding this comment.
PR description states the solution version was updated to 3.0.10, but Solution_AAD.json still shows 3.3.6. Please align the PR description with the actual version bump, or update the solution manifest version to match the stated release version.
| { | ||
| "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ConditionalAccessBenignStatusCodes')]", | ||
| "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", | ||
| "kind": "", |
There was a problem hiding this comment.
The watchlist ARM resource sets kind to an empty string. This is likely invalid for deployment/validation and can cause the template to fail. Remove the kind property entirely (if not required by the API version) or set it to the correct expected value for a watchlist resource.
| "kind": "", |
| ConditionalAccessStatus == 3 // unknown | ||
| Note: | ||
| This analytic rule is designed to identify potential attempts to bypass Conditional Access policies. Depending on your organization's configuration, some Conditional Access failures may be legitimate and expected. | ||
| It is recommended to review alerts generated by this rule in the context of your organization's Conditional Access policies and adjust the detection threshold as needed to reduce false positives. | ||
| This rule includes an optional filter that leverages a watchlist (ConditionalAccessBenignStatusCodes) to exclude known benign status codes. You can customize this watchlist with status codes that are expected in your environment and do not indicate malicious activity. | ||
| By default, the watchlist-based filtering is commented out to provide full visibility into all relevant events. You may choose to enable this filter by uncommenting the corresponding line in the query to reduce noise from known benign scenarios.' |
There was a problem hiding this comment.
The description field is now very long and ends with a stray apostrophe. Analytic rule templates typically enforce description constraints (e.g., max length / limited sentences), so this may fail repo validation. Please (1) remove the trailing ', and (2) shorten the description to fit the repo’s detection-template requirements (keep it to a few sentences); consider moving the extended tuning guidance into a more concise summary or other appropriate documentation location.
rahul0216
left a comment
rahul0216
left a comment
There was a problem hiding this comment.
Please address inline comment.
| { | ||
| "name": "[concat(parameters('workspaceName'), '/Microsoft.SecurityInsights/ConditionalAccessBenignStatusCodes')]", | ||
| "type": "Microsoft.OperationalInsights/workspaces/providers/Watchlists", | ||
| "kind": "", |
| ], | ||
| "Watchlists": [ | ||
| "Watchlists/ConditionalAccessBenignStatusCodes.json" | ||
| ], | ||
| "BasePath": "C:\\GitHub\\Azure-Sentinel", | ||
| "Version": "3.3.6", |
There was a problem hiding this comment.
This PR updates solution content and adds a new Watchlist, but Solution_AAD.json still has \"Version\": \"3.3.6\" while ReleaseNotes.md adds an entry for 3.3.11 and the PR description mentions different versioning. Please align the solution data Version with the version being released/documented in release notes for this change.
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Change(s):
Reason for Change(s):
Version Updated:
-3.0.10