Merge pull request #2133 from hieuttmmo/master

Sigma Rules for Privileged Accounts Activities Monitoring in Azure
2021-10-14 16:53:53 +01:00
parent 7e02555e22 a7e6eb576c
commit 87f2326402
5 changed files with 106 additions and 0 deletions
@@ -0,0 +1,20 @@
+title: Account Lockout 
+id: 2b7d6fc0-71ac-4cf7-8ed1-b5788ee5257a
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 50053
+  condition: selection
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.credential_access
+  - attack.t1110
@@ -0,0 +1,21 @@
+title: Change to Authentication Method
+id: 4d78a000-ab52-4564-88a5-7ab5242b20c7
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Change to authentication method could be an indicated of an attacker adding an auth method to the account so they can have continued access.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.auditlogs
+detection:
+  selection:
+    LoggedByService: 'Authentication Methods'
+    Category: 'UserManagement'
+    OperationName: 'User registered security info'
+  condition: selection
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.credential_access
@@ -0,0 +1,21 @@
+title: Login to Disabled Account
+id: 908655e0-25cf-4ae1-b775-1c8ce9cf43d8
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Detect failed attempts to sign in to disabled accounts.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 50057
+    ResultDescription: 'User account is disabled. The account has been disabled by an administrator.'
+  condition: selection 
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.initial_access
+  - attack.t1078
@@ -0,0 +1,24 @@
+title: Multifactor Authentication Interupted
+id: 5496ff55-42ec-4369-81cb-00f417029e25
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 50074
+    ResultDescription|contains: 'Strong Auth required'
+  selection1:
+    ResultType: 500121
+    ResultDescription|contains: 'Authentication failed during strong authentication request'
+  condition: selection or selection1
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.initial_access
+  - attack.t1078.004
@@ -0,0 +1,20 @@
+title: User Access Blocked by Azure Conditional Access
+id: 9a60e676-26ac-44c3-814b-0c2a8b977adf
+status: experimental
+author: AlertIQ
+date: 2021/10/10  
+description: Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.
+references:
+  - https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
+logsource:
+  service: azure.signinlogs
+detection:
+  selection:
+    ResultType: 53003
+  condition: selection 
+level: medium
+falsepositives:
+  - Unknown
+tags:
+  - attack.credential_access
+  - attack.t1110