diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml new file mode 100644 index 000000000..7160069c5 --- /dev/null +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Application Deleted +id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +description: Identifies when a application is deleted in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete application + - Hard Delete application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml new file mode 100644 index 000000000..13be72771 --- /dev/null +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -0,0 +1,21 @@ +title: Azure Device No Longer Managed or Compliant +id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +description: Identifies when a device in azure is no longer managed or compliant +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Device no longer compliant + - Device no longer managed + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator may have forgotten to review the device. diff --git a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml new file mode 100644 index 000000000..c5136d769 --- /dev/null +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -0,0 +1,25 @@ +title: Azure Device or Configuration Modified or Deleted +id: 46530378-f9db-4af9-a9e5-889c177d3881 +description: Identifies when a device or device configuration in azure is modified or deleted. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete device + - Delete device configuration + - Update device + - Update device configuration + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Device or device configuration being modified or deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml new file mode 100644 index 000000000..5db903ee0 --- /dev/null +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -0,0 +1,23 @@ +title: Azure Owner Removed From Application or Service Principal +id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +description: Identifies when a owner is was removed from a application or service principal in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Remove owner from service principal + - Remove owner from application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml new file mode 100644 index 000000000..e05012525 --- /dev/null +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -0,0 +1,21 @@ +title: Azure Service Principal Removed +id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +description: Identifies when a service principal was removed in Azure. +author: Austin Songer @austinsonger +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: Remove service principal + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.