From 907252c00f51d9e3c044f32699cf7076e10cbf14 Mon Sep 17 00:00:00 2001 From: cyb3rjy0t Date: Mon, 9 Jan 2023 17:07:39 -0500 Subject: [PATCH 1/4] New rule Detecting risky user sign from non AD registered device with single factor authenciation --- ...actorauthencation_from_unknown_devices.yml | 24 +++++++++++++++++++ 1 file changed, 24 insertions(+) create mode 100644 rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml diff --git a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml new file mode 100644 index 000000000..5033e930c --- /dev/null +++ b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml @@ -0,0 +1,24 @@ +title: Suspicious Sign-Ins from a Non Registered Device +id: 572b12d4-9062-11ed-a1eb-0242ac120002 +status: experimental +description: Detects risky authencaition from a non AD registered device without MFA being required. +references: + - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in +author: Harjot Singh, '@cyb3rjy0t' +date: 2022/07/27 +tags: + - attack.defense_evasion + - attack.t1078 +logsource: + product: azure + service: signinlogs +detection: + selection: + Status: 'Success' + AuthenticationRequirement: 'singleFactorAuthentication' + DeviceDetail.trusttype: '' + RiskState: 'atRisk' + condition: selection +falsepositives: + - Unknown +level: High From 82c2b635a90c76cce257a3630b745f39559cfb94 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 10 Jan 2023 00:49:44 +0100 Subject: [PATCH 2/4] fix: yaml syntax --- ...with_singlefactorauthencation_from_unknown_devices.yml | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml index 5033e930c..5edbd7386 100644 --- a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml +++ b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml @@ -5,7 +5,7 @@ description: Detects risky authencaition from a non AD registered device without references: - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in author: Harjot Singh, '@cyb3rjy0t' -date: 2022/07/27 +date: 2023/01/10 tags: - attack.defense_evasion - attack.t1078 @@ -16,9 +16,9 @@ detection: selection: Status: 'Success' AuthenticationRequirement: 'singleFactorAuthentication' - DeviceDetail.trusttype: '' - RiskState: 'atRisk' + DeviceDetail.trusttype: '' + RiskState: 'atRisk' condition: selection falsepositives: - Unknown -level: High +level: high From 28202109452524d18c3d70e40efb00ce2a148cd0 Mon Sep 17 00:00:00 2001 From: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Date: Tue, 10 Jan 2023 19:43:19 +0100 Subject: [PATCH 3/4] fix: broken title --- ...n_ins_with_singlefactorauthencation_from_unknown_devices.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml index 5edbd7386..d8a495a7d 100644 --- a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml +++ b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml @@ -1,4 +1,4 @@ -title: Suspicious Sign-Ins from a Non Registered Device +title: Suspicious SignIns From A Non Registered Device id: 572b12d4-9062-11ed-a1eb-0242ac120002 status: experimental description: Detects risky authencaition from a non AD registered device without MFA being required. From 8e7187e861e9fff32c91d6bece0e317c470a5503 Mon Sep 17 00:00:00 2001 From: frack113 <62423083+frack113@users.noreply.github.com> Date: Tue, 10 Jan 2023 20:37:56 +0100 Subject: [PATCH 4/4] Rename azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml to azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml --- ...risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename rules/cloud/azure/{azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml => azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml} (100%) diff --git a/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml b/rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml similarity index 100% rename from rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauthencation_from_unknown_devices.yml rename to rules/cloud/azure/azure_ad_risky_sign_ins_with_singlefactorauth_from_unknown_devices.yml