New NRT Rules Created

[petebryan]

Change(s):
Created several new NRT rule templates:

• Created from existing scheduled detections
• Some minor changes to support NRT limitations.

1. AWS Login without MFA
2. ADFS Trust Modifications
3. New App or SP Credential
4. PIM request rejected
5. User added to privileged group
6. New ADFS Server
7. KeyVault Sensitive Operation
8. Mining Pool Detection (2 detections)
9. Malicious inbox rules (2 detections)
10. Security Logs being cleared
11. B64 Encoded PE files or command lines (2 detections)
12. MFA rejected by user

The code should have been tested in a Microsoft Sentinel environment that does not have any custom parsers, functions or tables, so that you validate no incorrect syntax and execution functions properly. If your submission requires a custom parser or function, it must be submitted with the PR.

Testing Completed:

• Yes

Note: If updating a detection, you must update the version field.

After the submission has been made, please look at the Validation Checks.

Checked that the validations are passing and have addressed any issues that are present:

• Yes

Note: Let us know if you have tried fixing the validation error and need help.

References:

• Guidance for Detection checks
• General contribution guidance
• PR validation troubleshooting

---

[aprakash13]

The queries look great. Thanks @petebryan. A couple of small typos that we can probably fix and this would be ready to be merged

[petebryan]

Thanks so much @aprakash13! Good spot on those typos, all updated.

[aprakash13]

Thanks Pete.