From c0bdc3fb1ba26678d9541f0702102a1a9b024b94 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:23:21 -0500 Subject: [PATCH 01/12] Create azure_device_no_longer_managed_or_compliant.yml --- ..._device_no_longer_managed_or_compliant.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml new file mode 100644 index 000000000..11fe4dd02 --- /dev/null +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -0,0 +1,21 @@ +title: Azure Device No Longer Managed or Compliant +id: 542b9912-c01f-4e3f-89a8-014c48cdca7d +description: Identifies when a device in azure is no longer managed or compliant +author: Austin Songer +status: experimental +date: 2021/ +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Device no longer compliant + - Device no longer managed + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Administrator may have forgotten to review the device. From b478132769fdfb947515420dce244f0ec7e8db50 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:23:59 -0500 Subject: [PATCH 02/12] Create azure_owner_removed_from_application_or_service_principal.yml --- ..._from_application_or_service_principal.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml new file mode 100644 index 000000000..cc6ba7d31 --- /dev/null +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -0,0 +1,23 @@ +title: Azure Owner Removed From Application or Service Principal +id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 +description: Identifies when a owner is was removed from a application or service principal in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Remove owner from service principal + - Remove owner from application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Owner being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6e15618c75baf4ed45a249054a011ce00abdac7c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:24:32 -0500 Subject: [PATCH 03/12] Create azure_device_or_configuration_deleted.yml --- .../azure_device_or_configuration_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_device_or_configuration_deleted.yml diff --git a/rules/cloud/azure/azure_device_or_configuration_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_deleted.yml new file mode 100644 index 000000000..4156aa7d4 --- /dev/null +++ b/rules/cloud/azure/azure_device_or_configuration_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Device or Configuration Deleted +id: 46530378-f9db-4af9-a9e5-889c177d3881 +description: Identifies when a device or device configuration in azure is deleted. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete device + - Delete device configuration + condition: selection +level: medium +tags: + - attack.impact +falsepositives: + - Device or device configuration being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 70ac0104cf129996705d1538642c4a1c6f010978 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:25:01 -0500 Subject: [PATCH 04/12] Create azure_service_principal_removed.yml --- .../azure/azure_service_principal_removed.yml | 21 +++++++++++++++++++ 1 file changed, 21 insertions(+) create mode 100644 rules/cloud/azure/azure_service_principal_removed.yml diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml new file mode 100644 index 000000000..6be22898a --- /dev/null +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -0,0 +1,21 @@ +title: Azure Service Principal Removed +id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 +description: Identifies when a service principal was removed in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: "Remove service principal" + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Service principal being removed may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 6744fb7f2ec6ded95cee76e72f418395f956c7e0 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:25:34 -0500 Subject: [PATCH 05/12] Create azure_application_deleted.yml --- .../cloud/azure/azure_application_deleted.yml | 23 +++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 rules/cloud/azure/azure_application_deleted.yml diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml new file mode 100644 index 000000000..843bb212f --- /dev/null +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -0,0 +1,23 @@ +title: Azure Application Deleted +id: 410d2a41-1e6d-452f-85e5-abdd8257a823 +description: Identifies when a application is deleted in Azure. +author: Austin Songer +status: experimental +date: 2021/09/03 +references: + - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy +logsource: + service: azure.activitylogs +detection: + selection: + properties.message: + - Delete application + - Hard Delete application + condition: selection +level: medium +tags: + - attack.defense_evasion +falsepositives: + - Application being deleted may be performed by a system administrator. + - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. + - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From c021ae9e7c8507c1b3c42018d7da249cd1e76e99 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:28:35 -0500 Subject: [PATCH 06/12] Update and rename azure_device_or_configuration_deleted.yml to azure_device_or_configuration_modified_or_deleted.yml --- ..._device_or_configuration_modified_or_deleted.yml} | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) rename rules/cloud/azure/{azure_device_or_configuration_deleted.yml => azure_device_or_configuration_modified_or_deleted.yml} (57%) diff --git a/rules/cloud/azure/azure_device_or_configuration_deleted.yml b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml similarity index 57% rename from rules/cloud/azure/azure_device_or_configuration_deleted.yml rename to rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml index 4156aa7d4..c5136d769 100644 --- a/rules/cloud/azure/azure_device_or_configuration_deleted.yml +++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml @@ -1,7 +1,7 @@ -title: Azure Device or Configuration Deleted +title: Azure Device or Configuration Modified or Deleted id: 46530378-f9db-4af9-a9e5-889c177d3881 -description: Identifies when a device or device configuration in azure is deleted. -author: Austin Songer +description: Identifies when a device or device configuration in azure is modified or deleted. +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: @@ -13,11 +13,13 @@ detection: properties.message: - Delete device - Delete device configuration + - Update device + - Update device configuration condition: selection level: medium tags: - attack.impact falsepositives: - - Device or device configuration being deleted may be performed by a system administrator. + - Device or device configuration being modified or deleted may be performed by a system administrator. - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. - - Device or device configuration deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule. From 8fe7bfc4529255d84c666efd107afba2744171fb Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:28:53 -0500 Subject: [PATCH 07/12] Update azure_application_deleted.yml --- rules/cloud/azure/azure_application_deleted.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_application_deleted.yml b/rules/cloud/azure/azure_application_deleted.yml index 843bb212f..7160069c5 100644 --- a/rules/cloud/azure/azure_application_deleted.yml +++ b/rules/cloud/azure/azure_application_deleted.yml @@ -1,7 +1,7 @@ title: Azure Application Deleted id: 410d2a41-1e6d-452f-85e5-abdd8257a823 description: Identifies when a application is deleted in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From 9d26116d272653796bacfe5d12cf47e4a1ba3591 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:02 -0500 Subject: [PATCH 08/12] Update azure_device_no_longer_managed_or_compliant.yml --- .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index 11fe4dd02..e13c480c8 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -1,7 +1,7 @@ title: Azure Device No Longer Managed or Compliant id: 542b9912-c01f-4e3f-89a8-014c48cdca7d description: Identifies when a device in azure is no longer managed or compliant -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/ references: From fda1e3362e7b7321e4125acd3f80d0ffdb32f62d Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:12 -0500 Subject: [PATCH 09/12] Update azure_owner_removed_from_application_or_service_principal.yml --- ...zure_owner_removed_from_application_or_service_principal.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml index cc6ba7d31..5db903ee0 100644 --- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml +++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml @@ -1,7 +1,7 @@ title: Azure Owner Removed From Application or Service Principal id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6 description: Identifies when a owner is was removed from a application or service principal in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From c420a17e05d8848070a1dff6f62bd26afd36773c Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:29:21 -0500 Subject: [PATCH 10/12] Update azure_service_principal_removed.yml --- rules/cloud/azure/azure_service_principal_removed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 6be22898a..81ed24543 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -1,7 +1,7 @@ title: Azure Service Principal Removed id: 448fd1ea-2116-4c62-9cde-a92d120e0f08 description: Identifies when a service principal was removed in Azure. -author: Austin Songer +author: Austin Songer @austinsonger status: experimental date: 2021/09/03 references: From 0612ea7f6e468bb6a2741f4c39ce58e36aeb4d2b Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:42:26 -0500 Subject: [PATCH 11/12] Update azure_device_no_longer_managed_or_compliant.yml --- .../cloud/azure/azure_device_no_longer_managed_or_compliant.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml index e13c480c8..13be72771 100644 --- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml +++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml @@ -3,7 +3,7 @@ id: 542b9912-c01f-4e3f-89a8-014c48cdca7d description: Identifies when a device in azure is no longer managed or compliant author: Austin Songer @austinsonger status: experimental -date: 2021/ +date: 2021/09/03 references: - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory logsource: From e7c582777636dd563250eda84cab0faf8cdc3f90 Mon Sep 17 00:00:00 2001 From: Austin Songer Date: Fri, 3 Sep 2021 22:43:11 -0500 Subject: [PATCH 12/12] Update azure_service_principal_removed.yml --- rules/cloud/azure/azure_service_principal_removed.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rules/cloud/azure/azure_service_principal_removed.yml b/rules/cloud/azure/azure_service_principal_removed.yml index 81ed24543..e05012525 100644 --- a/rules/cloud/azure/azure_service_principal_removed.yml +++ b/rules/cloud/azure/azure_service_principal_removed.yml @@ -10,7 +10,7 @@ logsource: service: azure.activitylogs detection: selection: - properties.message: "Remove service principal" + properties.message: Remove service principal condition: selection level: medium tags: