diff --git a/detection_rules/etc/integration-manifests.json.gz b/detection_rules/etc/integration-manifests.json.gz index 6001f222e..4cf7ab622 100644 Binary files a/detection_rules/etc/integration-manifests.json.gz and b/detection_rules/etc/integration-manifests.json.gz differ diff --git a/detection_rules/etc/integration-schemas.json.gz b/detection_rules/etc/integration-schemas.json.gz index 46ba523bd..65b634c30 100644 Binary files a/detection_rules/etc/integration-schemas.json.gz and b/detection_rules/etc/integration-schemas.json.gz differ diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 26b29c343..213bdc3f9 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -148,5 +148,12 @@ "logs-aws.cloudtrail-*": { "aws.cloudtrail.flattened.request_parameters.cidrIp": "keyword", "aws.cloudtrail.flattened.request_parameters.fromPort": "keyword" + }, + "logs-azure.signinlogs-*": { + "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword" + }, + "logs-azure.activitylogs-*": { + "azure.activitylogs.properties.authentication_protocol": "keyword", + "azure.activitylogs.properties.appId": "keyword" } } diff --git a/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml new file mode 100644 index 000000000..65b062f0e --- /dev/null +++ b/rules/integrations/azure/credential_access_entra_id_device_code_auth_with_broker_client.toml @@ -0,0 +1,60 @@ +[metadata] +creation_date = "2024/06/24" +integration = ["azure"] +maturity = "production" +updated_date = "2024/06/26" + +[rule] +author = ["Elastic"] +description = """ +Identifies device code authentication with an Azure broker client for Entra ID. Adversaries abuse Primary Refresh Tokens (PRTs) to bypass multi-factor authentication (MFA) and gain unauthorized access to Azure resources. PRTs are used in Conditional Access policies to enforce device-based controls. Compromising PRTs allows attackers to bypass these policies and gain unauthorized access. This rule detects successful sign-ins using device code authentication with the Entra ID broker client application ID (29d9ed98-a469-4536-ade2-f981bc1d605e). +""" +from = "now-9m" +index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] +language = "kuery" +license = "Elastic License v2" +name = "Entra ID Device Code Auth with Broker Client" +references =[ + "https://dirkjanm.io/assets/raw/Phishing%20the%20Phishing%20Resistant.pdf", + "https://learn.microsoft.com/en-us/troubleshoot/azure/entra/entra-id/governance/verify-first-party-apps-sign-in", + "https://learn.microsoft.com/en-us/azure/azure-monitor/reference/tables/signinlogs" +] +risk_score = 47 +rule_id = "a83b3dac-325a-11ef-b3e6-f661ea17fbce" +setup = """ +This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. +""" +severity = "medium" +tags = [ + "Domain: Cloud", + "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Use Case: Identity and Access Audit", + "Tactic: Credential Access", +] +timestamp_override = "event.ingested" +type = "query" + +query = ''' + event.dataset:(azure.activitylogs or azure.signinlogs) + and azure.signinlogs.properties.authentication_protocol:deviceCode + and azure.signinlogs.properties.conditional_access_audiences.application_id:29d9ed98-a469-4536-ade2-f981bc1d605e + and event.outcome:success or ( + azure.activitylogs.properties.appId:29d9ed98-a469-4536-ade2-f981bc1d605e + and azure.activitylogs.properties.authentication_protocol:deviceCode) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1528" +name = "Steal Application Access Token" +reference = "https://attack.mitre.org/techniques/T1528/" + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" +