What Changed
Renamed analytic rule from “BruteForceCloudPC” to “BruteForceAgainstEntraAuthenticatedWindowsDevice” with updated display name and description. No detection logic, thresholds, or KQL queries were modified.
Detection Logic
KQL logic unchanged — YAML diff shows only metadata updates. The rule continues to detect multiple authentication failures followed by successful authentication within a time window against Windows devices via SigninLogs data.
Scope Clarification
The updated name and description now explicitly reflect that this detection covers all Entra-authenticated Windows devices:
- Entra-joined devices
- Hybrid-joined devices
- Windows 365 Cloud PCs
Previous naming suggested Cloud PC exclusivity, creating confusion about detection coverage. This change resolves the ambiguity without altering the underlying detection capability.
Affected Files
Solutions/Microsoft Entra ID/Analytic Rules/BruteForceAgainstanEntraAuthenticatedWindowsDevice.yaml
(packaging artefacts: 3.3.12.zip, ReleaseNotes.md, Solution_AAD.json, createUiDefinition.json, mainTemplate.json)