From 3996e94bfd7e035e11d56ac4a48cc35c7e3ecebd Mon Sep 17 00:00:00 2001
From: Austin Songer <austin@songer.pro>
Date: Tue, 22 Jun 2021 00:49:45 -0500
Subject: [PATCH] [New Rule] Azure Service Principal Credentials Added (#1169)

Co-authored-by: Brent Murphy <56412096+bm11100@users.noreply.github.com>
(cherry picked from commit 6986f28af67da73855b794489689f82570453e51)
---
 ...e_service_principal_credentials_added.toml | 55 +++++++++++++++++++
 1 file changed, 55 insertions(+)
 create mode 100644 rules/azure/impact_azure_service_principal_credentials_added.toml

diff --git a/rules/azure/impact_azure_service_principal_credentials_added.toml b/rules/azure/impact_azure_service_principal_credentials_added.toml
new file mode 100644
index 000000000..b4904a237
--- /dev/null
+++ b/rules/azure/impact_azure_service_principal_credentials_added.toml
@@ -0,0 +1,55 @@
+[metadata]
+creation_date = "2021/05/05"
+maturity = "production"
+updated_date = "2021/05/05"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be
+added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with
+granted permissions will allow the attacker to access data that is normally protected by MFA requirements.
+"""
+false_positives = [
+    """
+    Service principal credential additions may be done by a system or network administrator. Verify whether the
+    username, hostname, and/or resource name should be making changes in your environment. Credential additions from
+    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
+    from the rule.
+    """,
+]
+from = "now-25m"
+index = ["filebeat-*", "logs-azure*"]
+interval = "10m"
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Service Principal Credentials Added"
+note = """## Config
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"]
+risk_score = 47
+rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4"
+severity = "medium"
+tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials." and event.outcome:(success or Success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1496"
+name = "Resource Hijacking"
+reference = "https://attack.mitre.org/techniques/T1496/"
+
+
+[rule.threat.tactic]
+id = "TA0040"
+name = "Impact"
+reference = "https://attack.mitre.org/tactics/TA0040/"
+