refactor: first bigger log source refactoring
see discussion here: https://github.com/SigmaHQ/sigma/discussions/2835
This commit is contained in:
Florian Roth
@@ -1,7 +1,7 @@
|
||||
title: Azure Active Directory Hybrid Health AD FS New Server
|
||||
id: 288a39fc-4914-4831-9ada-270e9dc12cb4
|
||||
description: |
|
||||
This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
|
||||
This detection uses azureactivity logs (Administrative category) to identify the creation or update of a server instance in an Azure AD Hybrid health AD FS service.
|
||||
A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-prem AD FS server.
|
||||
This can be done programmatically via HTTP requests to Azure.
|
||||
status: experimental
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
- https://o365blog.com/post/hybridhealthagent/
|
||||
logsource:
|
||||
product: azure
|
||||
service: AzureActivity
|
||||
service: azureactivity
|
||||
detection:
|
||||
selection:
|
||||
CategoryValue: 'Administrative'
|
||||
|
||||
@@ -1,7 +1,7 @@
|
||||
title: Azure Active Directory Hybrid Health AD FS Service Delete
|
||||
id: 48739819-8230-4ee3-a8ea-e0289d1fb0ff
|
||||
description: |
|
||||
This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
|
||||
This detection uses azureactivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
|
||||
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
|
||||
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
|
||||
status: experimental
|
||||
@@ -14,7 +14,7 @@ references:
|
||||
- https://o365blog.com/post/hybridhealthagent/
|
||||
logsource:
|
||||
product: azure
|
||||
service: AzureActivity
|
||||
service: azureactivity
|
||||
detection:
|
||||
selection:
|
||||
CategoryValue: 'Administrative'
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.signinlogs
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection:
|
||||
ResultType: 50053
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://www.cloud-architekt.net/auditing-of-msi-and-service-principals/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message: 'Update application - Certificates and secrets management'
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.auditlogs
|
||||
service: auditlogs
|
||||
detection:
|
||||
selection:
|
||||
LoggedByService: 'Authentication Methods'
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -1,15 +1,15 @@
|
||||
title: Number Of Resource Creation Or Deployment Activities
|
||||
id: d2d901db-7a75-45a1-bc39-0cbf00812192
|
||||
status: test
|
||||
description: Number of VM creations or deployment activities occur in Azure via the AzureActivity log.
|
||||
description: Number of VM creations or deployment activities occur in Azure via the azureactivity log.
|
||||
author: sawwinnnaung
|
||||
references:
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Creating_Anomalous_Number_Of_Resources_detection.yaml
|
||||
date: 2020/05/07
|
||||
modified: 2021/11/27
|
||||
logsource:
|
||||
product: azure
|
||||
service: AzureActivity
|
||||
service: azureactivity
|
||||
detection:
|
||||
keywords:
|
||||
- Microsoft.Compute/virtualMachines/write
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message|startswith: MICROSOFT.NETWORK/DNSZONES
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://attack.mitre.org/techniques/T1078
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.signinlogs
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message: Set federation settings on domain
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -4,12 +4,12 @@ status: test
|
||||
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
|
||||
author: sawwinnnaung
|
||||
references:
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/Granting_Permissions_To_Account_detection.yaml
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/Granting_Permissions_To_Account_detection.yaml
|
||||
date: 2020/05/07
|
||||
modified: 2021/11/27
|
||||
logsource:
|
||||
product: azure
|
||||
service: AzureActivity
|
||||
service: azureactivity
|
||||
detection:
|
||||
keywords:
|
||||
- Microsoft.Authorization/roleAssignments/write
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -9,7 +9,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftkubernetes
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection1:
|
||||
properties.message|startswith:
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -11,7 +11,7 @@ references:
|
||||
- https://www.microsoft.com/security/blog/2020/04/02/attack-matrix-kubernetes/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection1:
|
||||
properties.message|startswith:
|
||||
|
||||
@@ -9,7 +9,7 @@ references:
|
||||
- https://github.com/elastic/detection-rules/blob/da3852b681cf1a33898b1535892eab1f3a76177a/rules/integrations/azure/defense_evasion_kubernetes_events_deleted.toml
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection_operation_name:
|
||||
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -9,7 +9,7 @@ references:
|
||||
- https://github.com/elastic/detection-rules/blob/065bf48a9987cd8bd826c098a30ce36e6868ee46/rules/integrations/azure/impact_kubernetes_pod_deleted.toml
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection_operation_name:
|
||||
properties.message: MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/PODS/DELETE
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -12,7 +12,7 @@ references:
|
||||
- https://attack.mitre.org/matrices/enterprise/cloud/
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.signinlogs
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection:
|
||||
ResultType: 50057
|
||||
|
||||
@@ -9,7 +9,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-mfa-userstates
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
eventSource: AzureActiveDirectory
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.signinlogs
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection:
|
||||
ResultType: 50074
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message: MICROSOFT.PORTAL/CONSOLES/WRITE
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -4,12 +4,12 @@ status: test
|
||||
description: Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.
|
||||
author: sawwinnnaung
|
||||
references:
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AzureActivity/RareOperations.yaml
|
||||
- https://github.com/Azure/Azure-Sentinel/blob/master/Detections/azureactivity/RareOperations.yaml
|
||||
date: 2020/05/07
|
||||
modified: 2021/11/27
|
||||
logsource:
|
||||
product: azure
|
||||
service: AzureActivity
|
||||
service: azureactivity
|
||||
detection:
|
||||
keywords:
|
||||
- Microsoft.DocumentDB/databaseAccounts/listKeys/action
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message: 'Add service principal'
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message: Remove service principal
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations#microsoftauthorization
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection1:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#assignment-and-elevation
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.auditlogs
|
||||
service: auditlogs
|
||||
detection:
|
||||
selection:
|
||||
Category: 'Administrative'
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.signinlogs
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection1:
|
||||
ResultType: 50097
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.signinlogs
|
||||
service: signinlogs
|
||||
detection:
|
||||
selection:
|
||||
ResultType: 53003
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message|startswith:
|
||||
|
||||
@@ -8,7 +8,7 @@ references:
|
||||
- https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations
|
||||
logsource:
|
||||
product: azure
|
||||
service: azure.activitylogs
|
||||
service: activitylogs
|
||||
detection:
|
||||
selection:
|
||||
properties.message:
|
||||
|
||||
Reference in New Issue
Block a user