security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Global Administrator Role Assigned (#1686)

Browse Source 
* Initial Global Administrator Role Assigned Rules

* Apply suggestions from code review

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Jonhnathan
2022-01-27 09:53:02 -03:00
committed by GitHub
parent 7e4325dd7a
commit 14252d45ee
2 changed files with 113 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml
+57
View File
@@ -0,0 +1,57 @@
[metadata]
creation_date = "2022/01/06"
integration = "azure"
maturity = "production"
updated_date = "2022/01/06"
[rule]
author = ["Elastic"]
description = """
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator
is a role that enables users to have access to all administrative features in Azure AD and services that use Azure
Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange,
SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access
and manage all subscriptions and their settings and resources.
"""
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure AD Global Administrator Role Assigned"
note = """## Config
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"
]
risk_score = 47
rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
azure.auditlogs.operation_name:"Add member to role" and
azure.auditlogs.properties.target_resources.0.modified_properties.1.new_value:"\"Global Administrator\""
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1098/"
name = "Account Manipulation"
id = "T1098"
[[rule.threat.technique.subtechnique]]
reference = "https://attack.mitre.org/techniques/T1098/003/"
name = "Add Office 365 Global Administrator Role"
id = "T1098.003"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
rules/integrations/o365/persistence_microsoft_365_global_administrator_role_assign.toml
+56
View File
@@ -0,0 +1,56 @@
[metadata]
creation_date = "2022/01/06"
integration = "o365"
maturity = "production"
updated_date = "2022/01/06"
[rule]
author = ["Elastic"]
description = """
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using Roles. The Global Administrator
is a role that enables users to have access to all administrative features in Azure AD and services that use Azure
Active Directory identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange,
SharePoint Online, and Skype for Business Online. Attackers can add users as Global Administrators to maintain access
and manage all subscriptions and their settings and resources.
"""
from = "now-25m"
index = ["filebeat-*", "logs-o365*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft 365 Global Administrator Role Assigned"
note = """## Config
The Microsoft 365 Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator"
]
risk_score = 47
rule_id = "88671231-6626-4e1b-abb7-6e361a171fbb"
severity = "medium"
tags = ["Elastic", "Cloud", "Microsoft 365", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.code:"AzureActiveDirectory" and event.action:"Add member to role." and
o365.audit.ModifiedProperties.Role_DisplayName.NewValue:"Global Administrator"
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
reference = "https://attack.mitre.org/techniques/T1098/"
name = "Account Manipulation"
id = "T1098"
[[rule.threat.technique.subtechnique]]
reference = "https://attack.mitre.org/techniques/T1098/003/"
name = "Add Office 365 Global Administrator Role"
id = "T1098.003"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"