Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules

new: Anomalous User Activity new: Activity From Anonymous IP Address new: Atypical Travel new: Impossible Travel new: Suspicious Inbox Forwarding Identity Protection new: Suspicious Inbox Manipulation Rules new: Azure AD Account Credential Leaked new: Sign-In From Malware Infected IP new: New Country new: Password Spray Activity new: Suspicious Browser Activity new: SAML Token Issuer Anomaly new: Unfamiliar Sign-In Properties --------- Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-09-06 01:56:13 -07:00
parent 9cb124f841
commit efe2c9bbcb
14 changed files with 304 additions and 0 deletions
@@ -0,0 +1,22 @@
+title: Anomalous User Activity
+id: 258b6593-215d-4a26-a141-c8e31c1299a6
+status: experimental
+description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1098
+    - attack.persistence
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'anomalousUserActivity'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,25 @@
+title: Activity From Anonymous IP Address
+id: be4d9c86-d702-4030-b52e-c7859110e5e8
+status: experimental
+description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'riskyIPAddress'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,25 @@
+title: Atypical Travel
+id: 1a41023f-1e70-4026-921a-4d9341a9038e
+status: experimental
+description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'unlikelyTravel'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,25 @@
+title: Impossible Travel
+id: b2572bf9-e20a-4594-b528-40bde666525a
+status: experimental
+description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'impossibleTravel'
+    condition: selection
+falsepositives:
+    - Conneting to a VPN, performing activity and then dropping and performing addtional activity.
+level: high
@@ -0,0 +1,22 @@
+title: Suspicious Inbox Forwarding Identity Protection
+id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
+status: experimental
+description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1140
+    - attack.defense_evasion
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'suspiciousInboxForwarding'
+    condition: selection
+falsepositives:
+    - A legitmate forwarding rule.
+level: high
@@ -0,0 +1,22 @@
+title: Suspicious Inbox Manipulation Rules
+id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
+status: experimental
+description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1140
+    - attack.defense_evasion
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'mcasSuspiciousInboxManipulationRules'
+    condition: selection
+falsepositives:
+    - Actual mailbox rules that are moving items based on their workflow.
+level: high
@@ -0,0 +1,22 @@
+title: Azure AD Account Credential Leaked 
+id: 19128e5e-4743-48dc-bd97-52e5775af817
+status: experimental
+description: Indicates that the user's valid credentials have been leaked.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1589
+    - attack.reconnaissance
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'leakedCredentials'
+    condition: selection
+falsepositives:
+    - A rare hash collision.
+level: high
@@ -0,0 +1,22 @@
+title: Sign-In From Malware Infected IP
+id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
+status: experimental
+description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1090
+    - attack.command_and_control
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'malwareInfectedIPAddress'
+    condition: selection
+falsepositives:
+    - Using an IP address that is shared by many users
+level: high
@@ -0,0 +1,25 @@
+title: New Country
+id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
+status: experimental
+description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'newCountry'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,22 @@
+title: Password Spray Activity
+id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9
+status: experimental
+description: Indicates that a password spray attack has been successfully performed.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1110
+    - attack.credential_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'passwordSpray'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,25 @@
+title: Suspicious Browser Activity
+id: 944f6adb-7a99-4c69-80c1-b712579e93e6
+status: experimental
+description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'suspiciousBrowser'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,22 @@
+title: SAML Token Issuer Anomaly
+id: e3393cba-31f0-4207-831e-aef90ab17a8c
+status: experimental
+description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1606
+    - attack.credential_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'tokenIssuerAnomaly'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high
@@ -0,0 +1,25 @@
+title: Unfamiliar Sign-In Properties
+id: 128faeef-79dd-44ca-b43c-a9e236a60f49
+status: experimental
+description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'unfamiliarFeatures'
+    condition: selection
+falsepositives:
+    - User changing to a new device, location, browser, etc.
+level: high