From d92ac18e432f262e9c1313a7478af10685ce3152 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Fri, 16 Jun 2023 14:44:37 -0400 Subject: [PATCH 01/27] fixing password spraying detections --- ..._users_failing_to_authenticate_from_ip.yml | 24 +++++++------ ...mber_of_failed_authentications_from_ip.yml | 34 ++++++++++--------- 2 files changed, 31 insertions(+), 27 deletions(-) diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 1ccdaa27bd..bb6d43a3a8 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -15,13 +15,15 @@ description: 'The following analytic identifies one source Ip failing to authent Azure AD tenants can be very different depending on the organization. Users should test this detection and customize the arbitrary threshold if needed.' data_source: [] -search: ' `azuread` body.category= SignInLogs body.properties.status.errorCode=50126 - body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* - as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) - as tried_accounts by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' +search: ' `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false +| rename properties.* as * +| bucket span=5m _time +| stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress +| where unique_accounts > 30 +| `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through and EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. @@ -59,17 +61,17 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.status.errorCode - - body.category - - body.properties.authenticationDetails - - body.properties.userPrincipalName - - body.properties.ipAddress + - properties.status.errorCode + - category + - properties.authenticationDetails + - properties.userPrincipalName + - properties.ipAddress risk_score: 63 security_domain: identity tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread/azure-audit.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: mscs:azure:eventhub sourcetype: mscs:azure:eventhub update_timestamp: true diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index 367676c2a9..1b41270ae7 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -21,16 +21,18 @@ description: 'The following analytic identifies one source Ip failing to authent coverage. A similar analytic following the threshold model is `Azure AD Multiple Users Failing To Authenticate From Ip`.' data_source: [] -search: ' `azuread` body.category=SignInLogs body.properties.status.errorCode=50126 - body.properties.authenticationDetails{}.succeeded= false | rename body.properties.* - as * | bucket span=5m _time | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) - as tried_accounts by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg - , stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) - | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1, - 0) | where isOutlier = 1 | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events in your Splunk environment. +search: ' `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false + | rename properties.* as * + | bucket span=5m _time + | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress + | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress + | eval upperBound=(ip_avg+ip_std*3) + | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) + | where isOutlier = 1 + | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment through and EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. @@ -67,17 +69,17 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.status.errorCode - - body.category - - body.properties.authenticationDetails - - body.properties.userPrincipalName - - body.properties.ipAddress + - properties.status.errorCode + - category + - properties.authenticationDetails + - properties.userPrincipalName + - properties.ipAddress risk_score: 54 security_domain: access tests: - name: True Positive Test attack_data: - - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/azuread/azure-audit.log + - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1110.003/password_spraying_azuread/azuread_signin.log source: mscs:azure:eventhub sourcetype: mscs:azure:eventhub update_timestamp: true From d159ca453ddb3f25cc38ee0f49b8ea813db2d084 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Tue, 20 Jun 2023 12:15:20 -0400 Subject: [PATCH 02/27] updating detection --- ..._users_failing_to_authenticate_from_ip.yml | 2 +- ...azure_ad_service_principal_owner_added.yml | 25 +++++++++++-------- ...mber_of_failed_authentications_from_ip.yml | 4 +-- 3 files changed, 17 insertions(+), 14 deletions(-) diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index bb6d43a3a8..a6ec1bd6f9 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -23,7 +23,7 @@ search: ' `azuread` category=SignInLogs properties.status.errorCode=50126 proper | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through and EventHub. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 6983a723ec..8ca29994fd 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -15,15 +15,18 @@ description: The following analytic identifies the addition of a new owner for a and obtain single-factor access to an Azure AD environment. Attackers who are looking to escalate their privileges by leveraging a Service Principals permissions may also add a new owner. data_source: [] -search: ' `azuread` body.operationName="Add owner to application" | rename body.properties.* - as * | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.userPrincipalName - as newOwner | rename targetResources{}.modifiedProperties{}.newValue as displayName - | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner | stats - values(displayName) by _time, initiatedBy, result, body.operationName, newOwner +search: ' `azuread` operationName="Add owner to application" + | rename properties.* as * + | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename targetResources{}.userPrincipalName as newOwner + | rename targetResources{}.modifiedProperties{}.newValue as displayName + | eval displayName = mvindex(displayName,1) + | where initiatedBy!=newOwner + | stats values(displayName) by _time, initiatedBy, result, operationName, newOwner | `azure_ad_service_principal_owner_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. known_false_positives: Administrator may legitimately add new owners for Service Principals. Filter as needed. @@ -54,11 +57,11 @@ tags: - Splunk Cloud required_fields: - _time - - body.operationName - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.modifiedProperties{}.newValue - - body.propertiesresult + - operationName + - properties.initiatedBy.user.userPrincipalName + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.modifiedProperties{}.newValue + - properties.result risk_score: 54 security_domain: audit tests: diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index 1b41270ae7..c82b0d584d 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -1,6 +1,6 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d -version: 1 +version: 2 date: '2022-07-11' author: Mauricio Velazco, Splunk status: production @@ -32,7 +32,7 @@ search: ' `azuread` category=SignInLogs properties.status.errorCode=50126 proper | `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through and EventHub. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A source Ip failing to authenticate with multiple users is not a common for legitimate behavior. From 97a8020619eaa8f3602d66c9cbd336bfce9f6625 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Tue, 20 Jun 2023 12:43:02 -0400 Subject: [PATCH 03/27] updating detection --- ..._ad_global_administrator_role_assigned.yml | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index 023ece5b98..8f321316b7 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -1,6 +1,6 @@ name: Azure AD Global Administrator Role Assigned id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c -version: 2 +version: 3 date: '2022-08-17' author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk status: production @@ -14,14 +14,15 @@ description: The following analytic identifies the assignment of the Azure AD Gl to gain control of Azure resources. Adversaries and red teams alike may assign this role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment. data_source: [] -search: '`azuread` "body.operationName"="Add member to role" "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Global - Administrator\"" | rename body.properties.* as * | rename targetResources{}.userPrincipalName - as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName +search: '`azuread` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\"" + | rename properties.* as * + | rename targetResources{}.userPrincipalName as userPrincipalName + | rename initiatedBy.user.userPrincipalName as initiatedBy + | stats values(userPrincipalName) by _time, initiatedBy, result, operationName | `azure_ad_global_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an Event Hub. Specifically, this analytic leverages the AuditLogs log category. known_false_positives: Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. @@ -58,10 +59,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 72 security_domain: threat tests: From c4facd54be07a71335da4b9012956f6989b8512f Mon Sep 17 00:00:00 2001 From: mvelazco Date: Tue, 20 Jun 2023 16:16:24 -0400 Subject: [PATCH 04/27] updating detection --- ..._ad_global_administrator_role_assigned.yml | 2 +- .../azure_ad_service_principal_created.yml | 20 ++++++++++--------- 2 files changed, 12 insertions(+), 10 deletions(-) diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index 8f321316b7..80a2000f02 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -22,7 +22,7 @@ search: '`azuread` operationName="Add member to role" properties.targetResource | `azure_ad_global_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment through an Event Hub. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. known_false_positives: Administrators may legitimately assign the Global Administrator role to a user. Filter as needed. diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index 8a3f05796a..a847649860 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -14,14 +14,16 @@ description: The following analytic identifies the creation of a Service Princip access may create a Service Principal to establish Persistence and obtain single-factor access to an Azure AD environment. data_source: [] -search: '`azuread` "body.operationName"="Add service principal" "body.properties.initiatedBy.user.id"=* - | rename body.properties.* as * | rename targetResources{}.displayName as displayName - | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type - as type | stats values(displayName) by _time, type, initiatedBy, result, body.operationName +search: '`azuread` operationName="Add service principal" properties.initiatedBy.user.id=* + | rename properties.* as * + | rename targetResources{}.displayName as displayName + | rename initiatedBy.user.userPrincipalName as initiatedBy + | rename targetResources{}.type as type + | stats values(displayName) by _time, type, initiatedBy, result, operationName | `azure_ad_service_principal_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment thorough an EventHub. Specifically, this analytic leverages the AuditLogs log category. known_false_positives: Administrator may legitimately create Service Principal. Filter as needed. @@ -55,10 +57,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.displayName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.displayName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 45 security_domain: threat tests: From 3ae03bf887cbba5e647c5c45428e454af8fec908 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Wed, 28 Jun 2023 15:57:43 -0700 Subject: [PATCH 05/27] update T1098.003/azure_ad_assign_privileged_role/azure-audit.log Update SPL due to Log syntax change --- ...re_ad_application_administrator_role_assigned.yml | 12 ++++++------ ...ed_authentication_administrator_role_assigned.yml | 12 ++++++------ .../cloud/azure_ad_privileged_role_assigned.yml | 10 +++++----- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index bc539356c0..c07620fdc2 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -12,8 +12,8 @@ description: The following analytic identifies the assignment of the Application been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -search: ' `azuread` "body.operationName"="Add member to role" "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" - | rename body.properties.* as * +search: ' `azuread` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName @@ -57,10 +57,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 35 security_domain: endpoint tests: diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index a970d1aae4..412cab40c2 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -10,8 +10,8 @@ description: The following analytic identifies the assignment of the Privileged methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -search: ' `azuread` "body.operationName"="Add member to role" "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" - | rename body.properties.* as * +search: ' `azuread` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName @@ -51,10 +51,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 50 security_domain: identity tests: diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 587b9b1738..ce6fe17565 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -10,7 +10,7 @@ description: The following analytic identifies the assignment of sensitive and p may assign these roles to a compromised account to establish Persistence in an Azure AD environment. data_source: [] -search: ' `azuread` "body.operationName"="Add member to role" | rename body.properties.* as * +search: ' `azuread` "operationName"="Add member to role" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles @@ -58,10 +58,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 63 security_domain: audit tests: From fe159f03aff7a3295c3766535cc00f5d04b2a7fe Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 29 Jun 2023 12:57:55 -0700 Subject: [PATCH 06/27] Update 3 detections require update because of missing an edit --- .../cloud/azure_ad_application_administrator_role_assigned.yml | 2 +- ...ad_privileged_authentication_administrator_role_assigned.yml | 2 +- detections/cloud/azure_ad_privileged_role_assigned.yml | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index c07620fdc2..f10f795387 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -16,7 +16,7 @@ search: ' `azuread` "operationName"="Add member to role" "properties.targetReso | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName + | stats values(userPrincipalName) by _time, initiatedBy, result, operationName | `azure_ad_application_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index 412cab40c2..ad76c6c59b 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -14,7 +14,7 @@ search: ' `azuread` "operationName"="Add member to role" "properties.targetReso | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName + | stats values(userPrincipalName) by _time, initiatedBy, result, operationName | `azure_ad_privileged_authentication_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index ce6fe17565..24107ade82 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -17,7 +17,7 @@ search: ' `azuread` "operationName"="Add member to role" | rename properties.* | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True - | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName, role, description + | stats values(userPrincipalName) by _time, initiatedBy, result, operationName, role, description | `azure_ad_privileged_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). From dd4ab337c5501cca3d8dd2fa5324d884c5b97708 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 11 Jul 2023 14:02:34 -0700 Subject: [PATCH 07/27] Update the detection "Azure AD Multi-Factor Authentication Disabled" Detection ID: 482dd42a-acfa-486b-a0bb-d6fcda27318e --- ...ure_ad_multi_factor_authentication_disabled.yml | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index e54662ba1c..03508a6506 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -11,10 +11,10 @@ description: The following analytic identifies an attempt to disable multi-facto and maintain persistence using a valid account. This way the attackers can keep persistance in the environment without adding new users. data_source: [] -search: '`azuread` body.category=AuditLogs body.operationName="Disable Strong Authentication" - | rename body.properties.* as * | rename targetResources{}.userPrincipalName as +search: '`azuread` category=AuditLogs operationName="Disable Strong Authentication" + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName - as initiatedBy | stats values(userPrincipalName) by _time, type, body.operationName, + as initiatedBy | stats values(userPrincipalName) by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). @@ -54,10 +54,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 45 security_domain: identity tests: From 4b30b0644660d238bb78e48bdbfc02ecfd102ceb Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Wed, 12 Jul 2023 19:24:50 -0700 Subject: [PATCH 08/27] Update detections/cloud/azure_ad_external_guest_user_invited.yml --- .../cloud/azure_ad_external_guest_user_invited.yml | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 66e18c7f95..79e369a769 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -13,10 +13,10 @@ description: The following analytic identifies the invitation of an external gue 2022 by security researcher Dirk-Jan during his tall `Backdooring and Hijacking Azure AD Accounts by Abusing External Identities` data_source: [] -search: '`azuread` "body.operationName"="Invite external user" | rename body.properties.* +search: '`azuread` "operationName"="Invite external user" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type - as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, body.operationName + as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, operationName | `azure_ad_external_guest_user_invited_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). @@ -53,10 +53,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 45 security_domain: threat tests: From d517dc5df786452ae40f870a9654f8dc66d0ff98 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 24 Jul 2023 08:25:27 -0700 Subject: [PATCH 09/27] Update detections/cloud/azure_ad_user_enabled_and_password_reset.yml --- ...zure_ad_user_enabled_and_password_reset.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index ee5ece7b03..9bfb5519be 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -10,12 +10,12 @@ description: The following analytic identifies an Azure AD user enabling a previ represent an adversary who has obtained administrative access and is trying to establish a backdoor identity within an Azure AD tenant. data_source: [] -search: ' `azuread` (body.operationName="Enable account" OR body.operationName="Reset - password (by admin)" OR body.operationName="Update user") | transaction body.properties.targetResources{}.userPrincipalName - startsWith=(body.operationName="Enable account") endsWith=(body.operationName="Reset - password (by admin)") maxspan=2m | rename body.properties.* as * | rename targetResources{}.userPrincipalName +search: ' `azuread` (operationName="Enable account" OR operationName="Reset password (by admin)" + OR operationName="Update user") | transaction properties.targetResources{}.userPrincipalName + startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(body.operationName) values(initiatedBy) by _time, userPrincipalName, + | stats values(operationName) values(initiatedBy) by _time, userPrincipalName, result | `azure_ad_user_enabled_and_password_reset_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). @@ -50,10 +50,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.operationName - - body.properties.targetResources{}.userPrincipalName - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - operationName + - properties.targetResources{}.userPrincipalName + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 45 security_domain: identity tests: From d35835cb852a86c8013573213605c67ff9a60c1f Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 24 Jul 2023 09:56:42 -0700 Subject: [PATCH 10/27] update datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure_ad_service_principal_credentials.yml --- ..._service_principal_new_client_credentials.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index b8342f6141..a75309ee04 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -16,8 +16,8 @@ description: The following analytic identifies the addition of new credentials f with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and logging in as the service principal. data_source: [] -search: ' `azuread` body.category=AuditLogs body.operationName="Update application*Certificates - and secrets management " | rename body.* as * | rename properties.* as * | rename +search: ' `azuread` category=AuditLogs operationName="Update application*Certificates + and secrets management " | rename * as * | rename properties.* as * | rename targetResources{}.* as * | stats values(displayName) by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft @@ -40,7 +40,7 @@ tags: asset_type: Azure Active Directory confidence: 50 impact: 70 - message: New credentials added for Service Principal $body.properties.targetResources{}.displayName$ + message: New credentials added for Service Principal $properties.targetResources{}.displayName$ mitre_attack_id: - T1098 - T1098.001 @@ -59,11 +59,11 @@ tags: - Splunk Cloud required_fields: - _time - - body.category - - body.operationName - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.targetResources{}.displayName - - body.properties.targetResources{}.modifiedProperties{}.newValue + - category + - operationName + - properties.initiatedBy.user.userPrincipalName + - properties.targetResources{}.displayName + - properties.targetResources{}.modifiedProperties{}.newValue risk_score: 35 security_domain: threat tests: From 6cc67285b1703c07d6b30123739f30ad72da02c6 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Wed, 26 Jul 2023 07:03:16 -0700 Subject: [PATCH 11/27] Update 2 detections 1. Azure AD New Custom Domain Added 2. Azure AD New Federated Domain Added --- .../cloud/azure_ad_new_custom_domain_added.yml | 16 ++++++++-------- .../azure_ad_new_federated_domain_added.yml | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 3846b77241..996c408103 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -19,10 +19,10 @@ description: The following analytic identifies the addition of a new custom doma persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. data_source: [] -search: ' `azuread` body.operationName="Add unverified domain" "body.properties.result"=success - | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress +search: ' `azuread` operationName="Add unverified domain" "properties.result"=success + | rename properties.* as * | rename callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName - as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, + as domain | stats values(domain) by _time, initiatedBy, result, operationName, callerIpAddress | `azure_ad_new_custom_domain_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -58,11 +58,11 @@ tags: - Splunk Cloud required_fields: - _time - - body.operationName - - body.properties.result - - body.callerIpAddress - - body.properties.targetResources{}.displayName - - body.properties.initiatedBy.user.userPrincipalName + - operationName + - properties.result + - callerIpAddress + - properties.targetResources{}.displayName + - properties.initiatedBy.user.userPrincipalName risk_score: 54 security_domain: threat tests: diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index 97374a53f5..76eeeb2420 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -19,10 +19,10 @@ description: The following analytic identifies the addition of a new federated d persistence and be able to authenticate to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. data_source: [] -search: ' `azuread` body.operationName="Set domain authentication" "body.properties.result"=success - | rename body.properties.* as * | rename body.callerIpAddress as callerIpAddress +search: ' `azuread` operationName="Set domain authentication" "properties.result"=success + | rename properties.* as * | rename callerIpAddress as callerIpAddress | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.displayName - as domain | stats values(domain) by _time, initiatedBy, result, body.operationName, + as domain | stats values(domain) by _time, initiatedBy, result, operationName, callerIpAddress | `azure_ad_new_federated_domain_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -57,11 +57,11 @@ tags: - Splunk Cloud required_fields: - _time - - body.operationName - - body.properties.result - - body.callerIpAddress - - body.properties.targetResources{}.displayName - - body.properties.initiatedBy.user.userPrincipalName + - operationName + - properties.result + - callerIpAddress + - properties.targetResources{}.displayName + - properties.initiatedBy.user.userPrincipalName risk_score: 81 security_domain: threat tests: From 0ae61f386526fcd82873923529fc96f1b71d9be6 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 27 Jul 2023 09:03:54 -0700 Subject: [PATCH 12/27] Update detections/cloud/azure_ad_successful_single_factor_authentication.yml --- ...successful_single_factor_authentication.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index d5bf586fc3..7833acc1d8 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -10,8 +10,8 @@ description: The following analytic identifies a successful authentication event This could be evidence of a missconfiguration, a policy violation or an account take over attempt that should be investigated data_source: [] -search: ' `azuread` body.category=SignInLogs body.properties.authenticationRequirement=singleFactorAuthentication - body.properties.authenticationDetails{}.succeeded=true | rename body.properties.* +search: ' `azuread` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication + properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft @@ -30,7 +30,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 50 - message: Successful authentication for user $body.properties.userPrincipalName$ + message: Successful authentication for user $properties.userPrincipalName$ without MFA mitre_attack_id: - T1586 @@ -52,12 +52,12 @@ tags: - Splunk Cloud required_fields: - _time - - body.category - - body.properties.authenticationRequirement - - body.properties.authenticationDetails - - body.properties.userPrincipalName - - body.properties.ipAddress - - body.properties.appDisplayName + - category + - properties.authenticationRequirement + - properties.authenticationDetails + - properties.userPrincipalName + - properties.ipAddress + - properties.appDisplayName risk_score: 45 security_domain: identity tests: From 38698912d77803e0430b81f3de63f5d164bcde97 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 27 Jul 2023 09:32:32 -0700 Subject: [PATCH 13/27] Update detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml --- ...entication_failed_during_mfa_challenge.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 072f2fcaeb..0dfa4401ff 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -11,8 +11,8 @@ description: 'The following analytic identifies an authentication attempt event This behavior may represent an adversary trying to authenticate with compromised credentials for an account that has multi-factor authentication enabled. ' data_source: [] -search: ' `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 - | rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, +search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 + | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). @@ -30,7 +30,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: User $body.properties.userPrincipalName$ failed to pass MFA challenge + message: User $properties.userPrincipalName$ failed to pass MFA challenge mitre_attack_id: - T1586 - T1586.003 @@ -52,13 +52,13 @@ tags: - Splunk Cloud required_fields: - _time - - body.category - - body.properties.status.errorCode - - body.properties.userPrincipalName - - body.properties.ipAddress - - body.properties.status.additionalDetails - - body.properties.appDisplayName - - body.properties.userAgent + - category + - properties.status.errorCode + - properties.userPrincipalName + - properties.ipAddress + - properties.status.additionalDetails + - properties.appDisplayName + - properties.userAgent risk_score: 54 security_domain: identity tests: From 79935e6668c1a9ae363a9d59056479271689d78f Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 31 Jul 2023 14:30:48 -0700 Subject: [PATCH 14/27] Update detections/cloud/azure_ad_successful_powershell_authentication.yml --- ...ad_successful_powershell_authentication.yml | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index eced18c064..cf59eff3fb 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -11,8 +11,8 @@ description: The following analytic identifies a successful authentication event and red teams alike will perform enumeration and discovery techniques. One method of executing these techniques is leveraging the native PowerShell modules. data_source: [] -search: ' `azuread` body.category=SignInLogs body.properties.authenticationDetails{}.succeeded=true - body.properties.appDisplayName="Azure Active Directory PowerShell" | rename body.properties.* +search: ' `azuread` category=SignInLogs properties.authenticationDetails{}.succeeded=true + properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft @@ -32,7 +32,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: Successful authentication for user $body.properties.userPrincipalName$ + message: Successful authentication for user $properties.userPrincipalName$ using PowerShell. mitre_attack_id: - T1586 @@ -54,12 +54,12 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.appDisplayName - - body.category - - body.properties.userPrincipalName - - body.properties.ipAddress - - body.properties.appDisplayName - - body.properties.userAgent + - properties.appDisplayName + - category + - properties.userPrincipalName + - properties.ipAddress + - properties.appDisplayName + - properties.userAgent risk_score: 54 security_domain: identity tests: From 4dbbfbaf7cddea42850971ee2908e5e6fe71427d Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Mon, 31 Jul 2023 15:18:14 -0700 Subject: [PATCH 15/27] Update detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml --- ..._ad_multiple_failed_mfa_requests_for_user.yml | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 02cf5f305b..8acbfec62f 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -18,8 +18,8 @@ description: The following analytic identifies multiple failed multi-factor auth this technique to bypass multi-factor authentication controls as reported by Mandiant and others. data_source: [] -search: ' `azuread` body.category=SignInLogs body.properties.status.errorCode=500121 - | rename body.properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts +search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 + | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft @@ -40,7 +40,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: Multiple Failed MFA requests for user $body.properties.userPrincipalName$ + message: Multiple Failed MFA requests for user $properties.userPrincipalName$ mitre_attack_id: - T1586 - T1586.003 @@ -62,11 +62,11 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.status.errorCode - - body.category - - body.properties.authenticationDetails - - body.properties.userPrincipalName - - body.properties.ipAddress + - properties.status.errorCode + - category + - properties.authenticationDetails + - properties.userPrincipalName + - properties.ipAddress risk_score: 54 security_domain: identity tests: From 8f69530eb08d5d976d197121f588cad44a895f95 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Tue, 1 Aug 2023 11:10:55 -0700 Subject: [PATCH 16/27] Update detections/cloud/azure_ad_user_immutableid_attribute_updated.yml --- .../cloud/azure_ad_user_immutableid_attribute_updated.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index f40a84d063..6bbca6f0f5 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -20,12 +20,12 @@ description: The following analytic identifies the modification of the SourceAnc to Azure AD impersonating any user and bypassing the requirement to have a valid password and/or perform MFA. data_source: [] -search: ' `azuread` body.operationName="Update user" body.properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor - | rename body.properties.* as * | rename targetResources{}.userPrincipalName as +search: ' `azuread` operationName="Update user" properties.targetResources{}.modifiedProperties{}.displayName=SourceAnchor + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename - body.callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue + callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue as modifiedProperties | stats values(userPrincipalName) values(modifiedProperties) - by _time, initiatedBy, callerIpAddress, result, body.operationName | `azure_ad_user_immutableid_attribute_updated_filter`' + by _time, initiatedBy, callerIpAddress, result, operationName | `azure_ad_user_immutableid_attribute_updated_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment. From e89fbc49fc34e356aa1ad06d76c3d4b38c99bb8c Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 3 Aug 2023 09:54:39 -0700 Subject: [PATCH 17/27] Update detections/cloud/azure_active_directory_high_risk_sign_in.yml --- ...ure_active_directory_high_risk_sign_in.yml | 20 +++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index cda906ecfd..133dafb73b 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -10,8 +10,8 @@ description: The following analytic triggers on a high risk sign-in against Azur sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low. data_source: [] -search: ' `azuread` body.category=UserRiskEvents body.properties.riskLevel=high | - rename body.properties.* as * | stats values(userPrincipalName) by _time, ipAddress, +search: ' `azuread` category=UserRiskEvents properties.riskLevel=high | + rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -31,7 +31,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: A high risk event was identified by Identify Protection for user $body.properties.userPrincipalName$ + message: A high risk event was identified by Identify Protection for user $properties.userPrincipalName$ mitre_attack_id: - T1586 - T1586.003 @@ -52,13 +52,13 @@ tags: - Splunk Cloud required_fields: - _time - - body.category - - body.properties.riskLevel - - body.properties.userPrincipalName - - body.properties.ipAddress - - body.properties.activity - - body.properties.riskEventType - - body.properties.additionalInfo + - category + - properties.riskLevel + - properties.userPrincipalName + - properties.ipAddress + - properties.activity + - properties.riskEventType + - properties.additionalInfo risk_score: 54 security_domain: identity tests: From 95f96a241b0e5d8e5883463c35429799186f216a Mon Sep 17 00:00:00 2001 From: mvelazco Date: Thu, 3 Aug 2023 16:36:36 -0400 Subject: [PATCH 18/27] updating descriptions --- .../cloud/azure_active_directory_high_risk_sign_in.yml | 7 +++---- ...azure_ad_authentication_failed_during_mfa_challenge.yml | 6 +++--- .../azure_ad_concurrent_sessions_from_different_ips.yml | 2 +- ...e_ad_high_number_of_failed_authentications_for_user.yml | 2 +- ...re_ad_high_number_of_failed_authentications_from_ip.yml | 2 +- .../azure_ad_multi_factor_authentication_disabled.yml | 4 ++-- .../azure_ad_multiple_failed_mfa_requests_for_user.yml | 2 +- .../cloud/azure_ad_new_mfa_method_registered_for_user.yml | 2 +- ...ure_ad_successful_authentication_from_different_ips.yml | 2 +- .../azure_ad_successful_powershell_authentication.yml | 6 +++--- .../azure_ad_successful_single_factor_authentication.yml | 6 +++--- 11 files changed, 20 insertions(+), 21 deletions(-) diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 133dafb73b..989346b330 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -13,10 +13,9 @@ data_source: [] search: ' `azuread` category=UserRiskEvents properties.riskLevel=high | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. - You must be ingesting Azure Active Directory events in your Splunk environment. +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category. known_false_positives: Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 0dfa4401ff..fbbcb20d67 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -14,9 +14,9 @@ data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events in your Splunk environment. +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: Legitimate users may miss to reply the MFA challenge within the time window or deny it by mistake. diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index 1b89d3b70a..a33c0cf6ce 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -18,7 +18,7 @@ search: ' `azuread` properties.authenticationDetails{}.succeeded=true category=N > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml index c05ecdd09f..4ef53ba617 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_for_user.yml @@ -15,7 +15,7 @@ search: ' `azuread` category= SignInLogs properties.status.errorCode=50126 prope by userPrincipalName, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index 07d9f78714..c4f4429b0f 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -16,7 +16,7 @@ search: ' `azuread` category= SignInLogs properties.status.errorCode=50126 prope values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: An Ip address with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application. diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index 03508a6506..48213a8417 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -17,8 +17,8 @@ search: '`azuread` category=AuditLogs operationName="Disable Strong Authenticati as initiatedBy | stats values(userPrincipalName) by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. known_false_positives: Legitimate use case may require for users to disable MFA. Filter as needed. diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 8acbfec62f..92501f771f 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -24,7 +24,7 @@ search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: Multiple Failed MFA requests may also be a sign of authentication or application issues. Filter as needed. diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index 36e01e7529..d1dcd62546 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -15,7 +15,7 @@ search: ' `azuread` category=AuditLogs operationName="User registered security i | `azure_ad_new_mfa_method_registered_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the AuditLogs log category. known_false_positives: Newly onboarded users who are registering an MFA method for the first time will also trigger this detection. diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index 7d40fb06ef..e6aca80229 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -18,7 +18,7 @@ search: ' `azuread` properties.authenticationDetails{}.succeeded=true category=S > 1 | `azure_ad_successful_authentication_from_different_ips_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events into your Splunk environment. + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index cf59eff3fb..6c7825f623 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -15,9 +15,9 @@ search: ' `azuread` category=SignInLogs properties.authenticationDetails{}.succe properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events in your Splunk environment. +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: Administrative users will likely use PowerShell commandlets to troubleshoot and maintain the environment. Filter as needed. diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index 7833acc1d8..e3008fc792 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -14,9 +14,9 @@ search: ' `azuread` category=SignInLogs properties.authenticationRequirement=si properties.authenticationDetails{}.succeeded=true | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' -how_to_implement: You must install the latest version of Splunk Add-on for Microsoft - Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). - You must be ingesting Azure Active Directory events in your Splunk environment. +how_to_implement: You must install the latest version of Splunk Add-on for Microsoft + Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). + You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the SignInLogs log category. known_false_positives: Although not recommended, certain users may be required without multi-factor authentication. Filter as needed From 47fbcfd21b7b441a7b386902f00f49ce43cb0bf3 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Thu, 17 Aug 2023 14:46:46 -0400 Subject: [PATCH 19/27] update message --- detections/cloud/azure_active_directory_high_risk_sign_in.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index 989346b330..bc45b8512c 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -30,7 +30,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: A high risk event was identified by Identify Protection for user $properties.userPrincipalName$ + message: A high risk event was identified by Identify Protection for user $userPrincipalName$ mitre_attack_id: - T1586 - T1586.003 From 7ff518faa44d0e82568928a0f5424381b350ebd7 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Thu, 17 Aug 2023 14:48:25 -0400 Subject: [PATCH 20/27] update query --- detections/cloud/azure_active_directory_high_risk_sign_in.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index bc45b8512c..afefd2b5c5 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -11,7 +11,7 @@ description: The following analytic triggers on a high risk sign-in against Azur events and categorizes them in three categories high, medium and low. data_source: [] search: ' `azuread` category=UserRiskEvents properties.riskLevel=high | - rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, + rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, activity, riskLevel, riskEventType, additionalInfo | `azure_active_directory_high_risk_sign_in_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). From f6047aca62826950d1eb80d572f45488f266bab5 Mon Sep 17 00:00:00 2001 From: mvelazco Date: Thu, 17 Aug 2023 14:54:29 -0400 Subject: [PATCH 21/27] fixing issues --- detections/cloud/aws_new_mfa_method_registered_for_user.yml | 2 +- .../azure_ad_authentication_failed_during_mfa_challenge.yml | 4 ++-- .../cloud/azure_ad_multi_factor_authentication_disabled.yml | 2 +- .../cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml | 4 ++-- ...zure_ad_multiple_users_failing_to_authenticate_from_ip.yml | 2 +- .../cloud/azure_ad_successful_powershell_authentication.yml | 4 ++-- .../azure_ad_successful_single_factor_authentication.yml | 4 ++-- ...re_ad_unusual_number_of_failed_authentications_from_ip.yml | 2 +- 8 files changed, 12 insertions(+), 12 deletions(-) diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 7884cc68c0..a8460b48af 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -30,7 +30,7 @@ tags: asset_type: Azure Active Directory confidence: 80 impact: 80 - message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ + message: A new virtual device $virtualMFADeviceName$ is added to user $user_arn$ mitre_attack_id: - T1556 - T1556.006 diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index fbbcb20d67..1697693bec 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -12,7 +12,7 @@ description: 'The following analytic identifies an authentication attempt event credentials for an account that has multi-factor authentication enabled. ' data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 - | rename properties.* as * | stats values(userPrincipalName) by _time, ipAddress, + | rename properties.* as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, status.additionalDetails, appDisplayName, userAgent | `azure_ad_authentication_failed_during_mfa_challenge_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -30,7 +30,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: User $properties.userPrincipalName$ failed to pass MFA challenge + message: User $userPrincipalName$ failed to pass MFA challenge mitre_attack_id: - T1586 - T1586.003 diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index 48213a8417..d2fa1dda76 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -14,7 +14,7 @@ data_source: [] search: '`azuread` category=AuditLogs operationName="Disable Strong Authentication" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename targetResources{}.type as type | rename initiatedBy.user.userPrincipalName - as initiatedBy | stats values(userPrincipalName) by _time, type, operationName, + as initiatedBy | stats values(userPrincipalName) as userPrincipalName by _time, type, operationName, initiatedBy, result | `azure_ad_multi_factor_authentication_disabled_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 92501f771f..26a830da92 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -20,7 +20,7 @@ description: The following analytic identifies multiple failed multi-factor auth data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts - values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, + values(userPrincipalName) as userPrincipalName by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -40,7 +40,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: Multiple Failed MFA requests for user $properties.userPrincipalName$ + message: Multiple Failed MFA requests for user $userPrincipalName$ mitre_attack_id: - T1586 - T1586.003 diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index a6ec1bd6f9..1adbbf19e4 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -38,7 +38,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 70 - message: Source Ip $body.properties.ipAddress$ failed to authenticate with 30 users + message: Source Ip $ipAddress$ failed to authenticate with 30 users within 5 minutes. mitre_attack_id: - T1586 diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index 6c7825f623..c7d4cb67ee 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -13,7 +13,7 @@ description: The following analytic identifies a successful authentication event data_source: [] search: ' `azuread` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell" | rename properties.* - as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, userAgent + as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, userAgent | `azure_ad_successful_powershell_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -32,7 +32,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: Successful authentication for user $properties.userPrincipalName$ + message: Successful authentication for user $userPrincipalName$ using PowerShell. mitre_attack_id: - T1586 diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index e3008fc792..2b038eeedc 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -12,7 +12,7 @@ description: The following analytic identifies a successful authentication event data_source: [] search: ' `azuread` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true | rename properties.* - as * | stats values(userPrincipalName) by _time, ipAddress, appDisplayName, authenticationRequirement + as * | stats values(userPrincipalName) as userPrincipalName by _time, ipAddress, appDisplayName, authenticationRequirement | `azure_ad_successful_single_factor_authentication_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). @@ -30,7 +30,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 50 - message: Successful authentication for user $properties.userPrincipalName$ + message: Successful authentication for user $userPrincipalName$ without MFA mitre_attack_id: - T1586 diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index c82b0d584d..cdbbad4cdf 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -47,7 +47,7 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 60 - message: Possible Password Spraying attack against Azure AD from source ip $body.properties.ipAddress$ + message: Possible Password Spraying attack against Azure AD from source ip $ipAddress$ mitre_attack_id: - T1586 - T1586.003 From 9edfbeeb896287c4fe311a7eb898c27e3b1cd8bc Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 17 Aug 2023 13:46:12 -0700 Subject: [PATCH 22/27] Update detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml --- .../cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 26a830da92..611952c55d 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -20,7 +20,7 @@ description: The following analytic identifies multiple failed multi-factor auth data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts - values(userPrincipalName) as userPrincipalName by userPrincipalName, status.additionalDetails, appDisplayName, + values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). From fd557070a9ca08d76ce852ee761ac9345f6025cd Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Thu, 17 Aug 2023 14:18:47 -0700 Subject: [PATCH 23/27] Update azure_ad_multiple_failed_mfa_requests_for_user.yml --- .../cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 611952c55d..5ad7e09a44 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -20,7 +20,7 @@ description: The following analytic identifies multiple failed multi-factor auth data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as * | bucket span=10m _time | stats dc(_raw) AS mfa_prompts - values(userPrincipalName) by userPrincipalName, status.additionalDetails, appDisplayName, + values(ipAddress) as ipAddress by userPrincipalName, status.additionalDetails, appDisplayName, userAgent, _time | where mfa_prompts > 10 | `azure_ad_multiple_failed_mfa_requests_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). From df182865b5a40b9701c49ef61b4221a67adbccc6 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 17 Aug 2023 14:31:47 -0700 Subject: [PATCH 24/27] Update author --- detections/cloud/azure_active_directory_high_risk_sign_in.yml | 2 +- .../cloud/azure_ad_application_administrator_role_assigned.yml | 2 +- .../azure_ad_authentication_failed_during_mfa_challenge.yml | 2 +- .../cloud/azure_ad_multi_factor_authentication_disabled.yml | 2 +- .../cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml | 2 +- .../azure_ad_multiple_users_failing_to_authenticate_from_ip.yml | 2 +- detections/cloud/azure_ad_new_custom_domain_added.yml | 2 +- detections/cloud/azure_ad_new_federated_domain_added.yml | 2 +- ...ad_privileged_authentication_administrator_role_assigned.yml | 2 +- detections/cloud/azure_ad_privileged_role_assigned.yml | 2 +- .../cloud/azure_ad_service_principal_new_client_credentials.yml | 2 +- detections/cloud/azure_ad_service_principal_owner_added.yml | 2 +- .../cloud/azure_ad_successful_powershell_authentication.yml | 2 +- .../cloud/azure_ad_successful_single_factor_authentication.yml | 2 +- ...zure_ad_unusual_number_of_failed_authentications_from_ip.yml | 2 +- detections/cloud/azure_ad_user_enabled_and_password_reset.yml | 2 +- .../cloud/azure_ad_user_immutableid_attribute_updated.yml | 2 +- 17 files changed, 17 insertions(+), 17 deletions(-) diff --git a/detections/cloud/azure_active_directory_high_risk_sign_in.yml b/detections/cloud/azure_active_directory_high_risk_sign_in.yml index afefd2b5c5..f0c5f3d7a1 100644 --- a/detections/cloud/azure_active_directory_high_risk_sign_in.yml +++ b/detections/cloud/azure_active_directory_high_risk_sign_in.yml @@ -2,7 +2,7 @@ name: Azure Active Directory High Risk Sign-in id: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea version: 1 date: '2022-07-11' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic triggers on a high risk sign-in against Azure diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index f10f795387..6a7f087091 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -2,7 +2,7 @@ name: Azure AD Application Administrator Role Assigned id: eac4de87-7a56-4538-a21b-277897af6d8d version: 1 date: '2023-04-25' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: [] diff --git a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml index 1697693bec..92b822b851 100644 --- a/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml +++ b/detections/cloud/azure_ad_authentication_failed_during_mfa_challenge.yml @@ -2,7 +2,7 @@ name: Azure AD Authentication Failed During MFA Challenge id: e62c9c2e-bf51-4719-906c-3074618fcc1c version: 1 date: '2022-07-14' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: 'The following analytic identifies an authentication attempt event against diff --git a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml index d2fa1dda76..2e85f7f0df 100644 --- a/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml +++ b/detections/cloud/azure_ad_multi_factor_authentication_disabled.yml @@ -2,7 +2,7 @@ name: Azure AD Multi-Factor Authentication Disabled id: 482dd42a-acfa-486b-a0bb-d6fcda27318e version: 1 date: '2022-08-10' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies an attempt to disable multi-factor diff --git a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml index 611952c55d..e99f84203d 100644 --- a/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml +++ b/detections/cloud/azure_ad_multiple_failed_mfa_requests_for_user.yml @@ -2,7 +2,7 @@ name: Azure AD Multiple Failed MFA Requests For User id: 264ea131-ab1f-41b8-90e0-33ad1a1888ea version: 1 date: '2022-08-25' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies multiple failed multi-factor authentication diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index 1adbbf19e4..f13da97573 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -2,7 +2,7 @@ name: Azure AD Multiple Users Failing To Authenticate From Ip id: 94481a6a-8f59-4c86-957f-55a71e3612a6 version: 1 date: '2022-07-12' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly description: 'The following analytic identifies one source Ip failing to authenticate diff --git a/detections/cloud/azure_ad_new_custom_domain_added.yml b/detections/cloud/azure_ad_new_custom_domain_added.yml index 996c408103..9842b46897 100644 --- a/detections/cloud/azure_ad_new_custom_domain_added.yml +++ b/detections/cloud/azure_ad_new_custom_domain_added.yml @@ -2,7 +2,7 @@ name: Azure AD New Custom Domain Added id: 30c47f45-dd6a-4720-9963-0bca6c8686ef version: 1 date: '2022-09-02' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the addition of a new custom domain diff --git a/detections/cloud/azure_ad_new_federated_domain_added.yml b/detections/cloud/azure_ad_new_federated_domain_added.yml index 76eeeb2420..759dc6c929 100644 --- a/detections/cloud/azure_ad_new_federated_domain_added.yml +++ b/detections/cloud/azure_ad_new_federated_domain_added.yml @@ -2,7 +2,7 @@ name: Azure AD New Federated Domain Added id: a87cd633-076d-4ab2-9047-977751a3c1a0 version: 1 date: '2022-09-02' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the addition of a new federated domain diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index ad76c6c59b..b7e005e717 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -2,7 +2,7 @@ name: Azure AD Privileged Authentication Administrator Role Assigned id: a7da845d-6fae-41cf-b823-6c0b8c55814a version: 1 date: '2023-04-25' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP data_source: [] diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 24107ade82..13c912cabd 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -2,7 +2,7 @@ name: Azure AD Privileged Role Assigned id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a version: 1 date: '2022-08-29' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the assignment of sensitive and privileged diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index a75309ee04..86fca7b74f 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -2,7 +2,7 @@ name: Azure AD Service Principal New Client Credentials id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a version: 2 date: '2022-08-17' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the addition of new credentials for Service diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 8ca29994fd..7582aaa83e 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -2,7 +2,7 @@ name: Azure AD Service Principal Owner Added id: 7ddf2084-6cf3-4a44-be83-474f7b73c701 version: 2 date: '2022-08-30' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the addition of a new owner for a Service diff --git a/detections/cloud/azure_ad_successful_powershell_authentication.yml b/detections/cloud/azure_ad_successful_powershell_authentication.yml index c7d4cb67ee..24ca26a17e 100644 --- a/detections/cloud/azure_ad_successful_powershell_authentication.yml +++ b/detections/cloud/azure_ad_successful_powershell_authentication.yml @@ -2,7 +2,7 @@ name: Azure AD Successful PowerShell Authentication id: 62f10052-d7b3-4e48-b57b-56f8e3ac7ceb version: 1 date: '2022-07-13' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies a successful authentication event against diff --git a/detections/cloud/azure_ad_successful_single_factor_authentication.yml b/detections/cloud/azure_ad_successful_single_factor_authentication.yml index 2b038eeedc..6f2eb12f80 100644 --- a/detections/cloud/azure_ad_successful_single_factor_authentication.yml +++ b/detections/cloud/azure_ad_successful_single_factor_authentication.yml @@ -2,7 +2,7 @@ name: Azure AD Successful Single-Factor Authentication id: a560e7f6-1711-4353-885b-40be53101fcd version: 1 date: '2022-07-12' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies a successful authentication event against diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index cdbbad4cdf..9b45a3cf0a 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -2,7 +2,7 @@ name: Azure AD Unusual Number of Failed Authentications From Ip id: 3d8d3a36-93b8-42d7-8d91-c5f24cec223d version: 2 date: '2022-07-11' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: Anomaly description: 'The following analytic identifies one source Ip failing to authenticate diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index 9bfb5519be..cdf8052d2c 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -2,7 +2,7 @@ name: Azure AD User Enabled And Password Reset id: 1347b9e8-2daa-4a6f-be73-b421d3d9e268 version: 1 date: '2022-08-29' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies an Azure AD user enabling a previously diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index 6bbca6f0f5..ee53eb95f8 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -2,7 +2,7 @@ name: Azure AD User ImmutableId Attribute Updated id: 0c0badad-4536-4a84-a561-5ff760f3c00e version: 1 date: '2022-09-02' -author: Mauricio Velazco, Splunk +author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk status: production type: TTP description: The following analytic identifies the modification of the SourceAnchor From cca6bb2ceb7d29410ab975270ad722f276a79542 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Thu, 17 Aug 2023 17:02:59 -0700 Subject: [PATCH 25/27] Edit SPL for Observable --- .../azure_ad_application_administrator_role_assigned.yml | 2 +- detections/cloud/azure_ad_external_guest_user_invited.yml | 2 +- .../cloud/azure_ad_global_administrator_role_assigned.yml | 2 +- ...ure_ad_high_number_of_failed_authentications_from_ip.yml | 2 +- .../cloud/azure_ad_new_mfa_method_registered_for_user.yml | 2 +- ...rivileged_authentication_administrator_role_assigned.yml | 2 +- detections/cloud/azure_ad_privileged_role_assigned.yml | 2 +- detections/cloud/azure_ad_service_principal_created.yml | 2 +- .../azure_ad_service_principal_new_client_credentials.yml | 2 +- detections/cloud/azure_ad_service_principal_owner_added.yml | 2 +- .../cloud/azure_ad_user_enabled_and_password_reset.yml | 6 +++--- .../cloud/azure_ad_user_immutableid_attribute_updated.yml | 2 +- 12 files changed, 14 insertions(+), 14 deletions(-) diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index 6a7f087091..4ad15579c4 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -16,7 +16,7 @@ search: ' `azuread` "operationName"="Add member to role" "properties.targetReso | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(userPrincipalName) by _time, initiatedBy, result, operationName + | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_application_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_external_guest_user_invited.yml b/detections/cloud/azure_ad_external_guest_user_invited.yml index 79e369a769..d2d8d4c115 100644 --- a/detections/cloud/azure_ad_external_guest_user_invited.yml +++ b/detections/cloud/azure_ad_external_guest_user_invited.yml @@ -16,7 +16,7 @@ data_source: [] search: '`azuread` "operationName"="Invite external user" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type - as type | stats values(userPrincipalName) by _time, type, initiatedBy, result, operationName + as type | stats values(userPrincipalName) as userPrincipalName by _time, type, initiatedBy, result, operationName | `azure_ad_external_guest_user_invited_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_global_administrator_role_assigned.yml b/detections/cloud/azure_ad_global_administrator_role_assigned.yml index 80a2000f02..aa46aba9e3 100644 --- a/detections/cloud/azure_ad_global_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_global_administrator_role_assigned.yml @@ -18,7 +18,7 @@ search: '`azuread` operationName="Add member to role" properties.targetResource | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(userPrincipalName) by _time, initiatedBy, result, operationName + | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_global_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml index c4f4429b0f..1249a491ff 100644 --- a/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_high_number_of_failed_authentications_from_ip.yml @@ -13,7 +13,7 @@ description: The following analytic identifies an Ip address failing to authenti data_source: [] search: ' `azuread` category= SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time | stats dc(_raw) AS failed_attempts - values(userPrincipalName) by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`' + values(userPrincipalName) as userPrincipalName by ipAddress, _time | where failed_attempts > 20 | `azure_ad_high_number_of_failed_authentications_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. diff --git a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml index d1dcd62546..b40494d929 100644 --- a/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/azure_ad_new_mfa_method_registered_for_user.yml @@ -11,7 +11,7 @@ description: The following analytic identifies the registration of a new Multi F data_source: [] search: ' `azuread` category=AuditLogs operationName="User registered security info" properties.operationType=Add | rename properties.* as * | rename targetResources{}.* - as * | stats values(userPrincipalName) by _time, resultDescription, result, callerIpAddress + as * | stats values(userPrincipalName) as userPrincipalName by _time, resultDescription, result, callerIpAddress | `azure_ad_new_mfa_method_registered_for_user_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index b7e005e717..a7284495b6 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -14,7 +14,7 @@ search: ' `azuread` "operationName"="Add member to role" "properties.targetReso | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(userPrincipalName) by _time, initiatedBy, result, operationName + | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName | `azure_ad_privileged_authentication_administrator_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 13c912cabd..6fbfdb2ba3 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -17,7 +17,7 @@ search: ' `azuread` "operationName"="Add member to role" | rename properties.* | eval role=mvindex(roles,1) | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description | search isprvilegedadrole = True - | stats values(userPrincipalName) by _time, initiatedBy, result, operationName, role, description + | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName, role, description | `azure_ad_privileged_role_assigned_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_service_principal_created.yml b/detections/cloud/azure_ad_service_principal_created.yml index a847649860..9290d9186b 100644 --- a/detections/cloud/azure_ad_service_principal_created.yml +++ b/detections/cloud/azure_ad_service_principal_created.yml @@ -19,7 +19,7 @@ search: '`azuread` operationName="Add service principal" properties.initiatedBy. | rename targetResources{}.displayName as displayName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.type as type - | stats values(displayName) by _time, type, initiatedBy, result, operationName + | stats values(displayName) as displayName by _time, type, initiatedBy, result, operationName | `azure_ad_service_principal_created_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml index 86fca7b74f..2fe3dcefae 100644 --- a/detections/cloud/azure_ad_service_principal_new_client_credentials.yml +++ b/detections/cloud/azure_ad_service_principal_new_client_credentials.yml @@ -18,7 +18,7 @@ description: The following analytic identifies the addition of new credentials f data_source: [] search: ' `azuread` category=AuditLogs operationName="Update application*Certificates and secrets management " | rename * as * | rename properties.* as * | rename - targetResources{}.* as * | stats values(displayName) by _time, initiatedBy.user.userPrincipalName, + targetResources{}.* as * | stats values(displayName) as displayName by _time, initiatedBy.user.userPrincipalName, modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_service_principal_owner_added.yml b/detections/cloud/azure_ad_service_principal_owner_added.yml index 7582aaa83e..b655bce029 100644 --- a/detections/cloud/azure_ad_service_principal_owner_added.yml +++ b/detections/cloud/azure_ad_service_principal_owner_added.yml @@ -22,7 +22,7 @@ search: ' `azuread` operationName="Add owner to application" | rename targetResources{}.modifiedProperties{}.newValue as displayName | eval displayName = mvindex(displayName,1) | where initiatedBy!=newOwner - | stats values(displayName) by _time, initiatedBy, result, operationName, newOwner + | stats values(displayName) as displayName by _time, initiatedBy, result, operationName, newOwner | `azure_ad_service_principal_owner_added_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml index cdf8052d2c..e1bad996bb 100644 --- a/detections/cloud/azure_ad_user_enabled_and_password_reset.yml +++ b/detections/cloud/azure_ad_user_enabled_and_password_reset.yml @@ -15,7 +15,7 @@ search: ' `azuread` (operationName="Enable account" OR operationName="Reset pass startsWith=(operationName="Enable account") endsWith=(operationName="Reset password (by admin)") maxspan=2m | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy - | stats values(operationName) values(initiatedBy) by _time, userPrincipalName, + | stats values(operationName) values(initiatedBy) as initiatedBy by _time, userPrincipalName, result | `azure_ad_user_enabled_and_password_reset_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). @@ -31,12 +31,12 @@ tags: asset_type: Azure Active Directory confidence: 90 impact: 50 - message: A user account, $displayName$, was enabled and its password reset within + message: A user account, $userPrincipalName$, was enabled and its password reset within 2 minutes by $initiatedBy$ mitre_attack_id: - T1098 observable: - - name: displayName + - name: userPrincipalName type: Other role: - Victim diff --git a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml index ee53eb95f8..7ffbc568e8 100644 --- a/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml +++ b/detections/cloud/azure_ad_user_immutableid_attribute_updated.yml @@ -24,7 +24,7 @@ search: ' `azuread` operationName="Update user" properties.targetResources{}.mod | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename callerIpAddress as callerIpAddress | rename targetResources{}.modifiedProperties{}.newValue - as modifiedProperties | stats values(userPrincipalName) values(modifiedProperties) + as modifiedProperties | stats values(userPrincipalName) as userPrincipalName values(modifiedProperties) by _time, initiatedBy, callerIpAddress, result, operationName | `azure_ad_user_immutableid_attribute_updated_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details). From 0eb0f1f9c6e9b4759914c2d70537c134742fb6a9 Mon Sep 17 00:00:00 2001 From: Bhavin Patel Date: Fri, 18 Aug 2023 11:42:07 -0700 Subject: [PATCH 26/27] spl fixes --- .../cloud/azure_ad_concurrent_sessions_from_different_ips.yml | 2 +- .../azure_ad_multiple_users_failing_to_authenticate_from_ip.yml | 2 +- .../azure_ad_successful_authentication_from_different_ips.yml | 2 +- ...zure_ad_unusual_number_of_failed_authentications_from_ip.yml | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml index a33c0cf6ce..279fd4c619 100644 --- a/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml +++ b/detections/cloud/azure_ad_concurrent_sessions_from_different_ips.yml @@ -14,7 +14,7 @@ description: The following analytic identifies an Azure AD account with concurre data_source: [] search: ' `azuread` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips - values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips + values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_concurrent_sessions_from_different_ips_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml index f13da97573..ed8e673478 100644 --- a/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml +++ b/detections/cloud/azure_ad_multiple_users_failing_to_authenticate_from_ip.yml @@ -18,7 +18,7 @@ data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time -| stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress +| stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | where unique_accounts > 30 | `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft diff --git a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml index e6aca80229..68b962dea9 100644 --- a/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml +++ b/detections/cloud/azure_ad_successful_authentication_from_different_ips.yml @@ -14,7 +14,7 @@ description: The following analytic identifies an Azure AD account successfully data_source: [] search: ' `azuread` properties.authenticationDetails{}.succeeded=true category=SignInLogs | rename properties.* as * | bucket span=5m _time | stats dc(ipAddress) AS unique_ips - values(ipAddress) values(appDisplayName) by _time, userPrincipalName | where unique_ips + values(ipAddress) as ipAddress values(appDisplayName) by _time, userPrincipalName | where unique_ips > 1 | `azure_ad_successful_authentication_from_different_ips_filter`' how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). diff --git a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml index 9b45a3cf0a..2587f803cd 100644 --- a/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml +++ b/detections/cloud/azure_ad_unusual_number_of_failed_authentications_from_ip.yml @@ -24,7 +24,7 @@ data_source: [] search: ' `azuread` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false | rename properties.* as * | bucket span=5m _time - | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as tried_accounts by _time, ipAddress + | stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName by _time, ipAddress | eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std by ipAddress | eval upperBound=(ip_avg+ip_std*3) | eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0) From 949e5ed5ebb8693c031debf938a5df7458b7cc65 Mon Sep 17 00:00:00 2001 From: pyth0n1c <87383215+pyth0n1c@users.noreply.github.com> Date: Fri, 18 Aug 2023 12:52:55 -0700 Subject: [PATCH 27/27] Fix notable typo user_name to user_arm --- detections/cloud/aws_new_mfa_method_registered_for_user.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/detections/cloud/aws_new_mfa_method_registered_for_user.yml b/detections/cloud/aws_new_mfa_method_registered_for_user.yml index 96fe8b0d65..80e4b8cf96 100644 --- a/detections/cloud/aws_new_mfa_method_registered_for_user.yml +++ b/detections/cloud/aws_new_mfa_method_registered_for_user.yml @@ -34,7 +34,7 @@ tags: - T1556 - T1556.006 observable: - - name: user_name + - name: user_arn type: User role: - Victim