From 3b7eedcc31a472fb7731e069d52dddc855d29c4c Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Thu, 4 Mar 2021 17:50:19 -0500 Subject: [PATCH] wrap azure operation name (#981) --- .../azure/collection_update_event_hub_auth_rule.toml | 4 ++-- rules/azure/credential_access_key_vault_modified.toml | 4 ++-- ...ential_access_storage_account_key_regenerated.toml | 4 ++-- ...se_evasion_azure_diagnostic_settings_deletion.toml | 4 ++-- rules/azure/defense_evasion_event_hub_deletion.toml | 4 ++-- .../defense_evasion_firewall_policy_deletion.toml | 4 ++-- .../defense_evasion_network_watcher_deletion.toml | 4 ++-- rules/azure/discovery_blob_container_access_mod.toml | 4 ++-- rules/azure/execution_command_virtual_machine.toml | 4 ++-- .../impact_azure_automation_runbook_deleted.toml | 4 ++-- rules/azure/impact_resource_group_deletion.toml | 4 ++-- .../persistence_azure_automation_account_created.toml | 4 ++-- ..._azure_automation_runbook_created_or_modified.toml | 11 +++++++++-- .../persistence_azure_automation_webhook_created.toml | 10 ++++++++-- 14 files changed, 41 insertions(+), 28 deletions(-) diff --git a/rules/azure/collection_update_event_hub_auth_rule.toml b/rules/azure/collection_update_event_hub_auth_rule.toml index a4827df93..c68f9ea39 100644 --- a/rules/azure/collection_update_event_hub_auth_rule.toml +++ b/rules/azure/collection_update_event_hub_auth_rule.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/AUTHORIZATIONRULES/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/credential_access_key_vault_modified.toml b/rules/azure/credential_access_key_vault_modified.toml index 29fc658b7..589f1ac6b 100644 --- a/rules/azure/credential_access_key_vault_modified.toml +++ b/rules/azure/credential_access_key_vault_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.KEYVAULT/VAULTS/WRITE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.KEYVAULT/VAULTS/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/credential_access_storage_account_key_regenerated.toml b/rules/azure/credential_access_storage_account_key_regenerated.toml index 11c8026ac..a9156380c 100644 --- a/rules/azure/credential_access_storage_account_key_regenerated.toml +++ b/rules/azure/credential_access_storage_account_key_regenerated.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/19" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -34,7 +34,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/REGENERATEKEY/ACTION" and event.outcome:(Success or success) ''' diff --git a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml index f018a5214..d95640f8f 100644 --- a/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml +++ b/rules/azure/defense_evasion_azure_diagnostic_settings_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.INSIGHTS/DIAGNOSTICSETTINGS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/defense_evasion_event_hub_deletion.toml b/rules/azure/defense_evasion_event_hub_deletion.toml index 263fb8acd..d035e2e48 100644 --- a/rules/azure/defense_evasion_event_hub_deletion.toml +++ b/rules/azure/defense_evasion_event_hub_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.EVENTHUB/NAMESPACES/EVENTHUBS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/defense_evasion_firewall_policy_deletion.toml b/rules/azure/defense_evasion_firewall_policy_deletion.toml index c4bf8cb2d..63db6a177 100644 --- a/rules/azure/defense_evasion_firewall_policy_deletion.toml +++ b/rules/azure/defense_evasion_firewall_policy_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/FIREWALLPOLICIES/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/defense_evasion_network_watcher_deletion.toml b/rules/azure/defense_evasion_network_watcher_deletion.toml index 262b45fb3..41e903722 100644 --- a/rules/azure/defense_evasion_network_watcher_deletion.toml +++ b/rules/azure/defense_evasion_network_watcher_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/31" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -32,7 +32,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.NETWORK/NETWORKWATCHERS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/discovery_blob_container_access_mod.toml b/rules/azure/discovery_blob_container_access_mod.toml index 5ac49a4a0..5d2725785 100644 --- a/rules/azure/discovery_blob_container_access_mod.toml +++ b/rules/azure/discovery_blob_container_access_mod.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/20" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -31,7 +31,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.STORAGE/STORAGEACCOUNTS/BLOBSERVICES/CONTAINERS/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/execution_command_virtual_machine.toml b/rules/azure/execution_command_virtual_machine.toml index 98d4af502..de9381a5d 100644 --- a/rules/azure/execution_command_virtual_machine.toml +++ b/rules/azure/execution_command_virtual_machine.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -38,7 +38,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION" and event.outcome:(Success or success) ''' diff --git a/rules/azure/impact_azure_automation_runbook_deleted.toml b/rules/azure/impact_azure_automation_runbook_deleted.toml index 3faa1b71e..f0a50dccc 100644 --- a/rules/azure/impact_azure_automation_runbook_deleted.toml +++ b/rules/azure/impact_azure_automation_runbook_deleted.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/09/01" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -29,6 +29,6 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/impact_resource_group_deletion.toml b/rules/azure/impact_resource_group_deletion.toml index 10d6ac2fb..9b2e80a5f 100644 --- a/rules/azure/impact_resource_group_deletion.toml +++ b/rules/azure/impact_resource_group_deletion.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/17" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -35,7 +35,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/persistence_azure_automation_account_created.toml b/rules/azure/persistence_azure_automation_account_created.toml index b92d24b5c..651363701 100644 --- a/rules/azure/persistence_azure_automation_account_created.toml +++ b/rules/azure/persistence_azure_automation_account_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -30,7 +30,7 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE and event.outcome:(Success or success) +event.dataset:azure.activitylogs and azure.activitylogs.operation_name:"MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WRITE" and event.outcome:(Success or success) ''' diff --git a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml index c15293fff..f3667dc41 100644 --- a/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml +++ b/rules/azure/persistence_azure_automation_runbook_created_or_modified.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -29,6 +29,13 @@ timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION) and event.outcome:(Success or success) +event.dataset:azure.activitylogs and + azure.activitylogs.operation_name: + ( + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/DRAFT/WRITE" or + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/WRITE" or + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/RUNBOOKS/PUBLISH/ACTION" + ) and + event.outcome:(Success or success) ''' diff --git a/rules/azure/persistence_azure_automation_webhook_created.toml b/rules/azure/persistence_azure_automation_webhook_created.toml index 897559caa..4b95f3e55 100644 --- a/rules/azure/persistence_azure_automation_webhook_created.toml +++ b/rules/azure/persistence_azure_automation_webhook_created.toml @@ -1,7 +1,7 @@ [metadata] creation_date = "2020/08/18" maturity = "production" -updated_date = "2021/03/03" +updated_date = "2021/03/04" [rule] author = ["Elastic"] @@ -31,6 +31,12 @@ to = "now-25m" type = "query" query = ''' -event.dataset:azure.activitylogs and azure.activitylogs.operation_name:(MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION or MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE) and event.outcome:(Success or success) +event.dataset:azure.activitylogs and + azure.activitylogs.operation_name: + ( + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/ACTION" or + "MICROSOFT.AUTOMATION/AUTOMATIONACCOUNTS/WEBHOOKS/WRITE" + ) and + event.outcome:(Success or success) '''