diff --git a/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml new file mode 100644 index 000000000..8fec05544 --- /dev/null +++ b/rules/integrations/azure/credential_access_azure_full_network_packet_capture_detected.toml @@ -0,0 +1,61 @@ +[metadata] +creation_date = "2021/08/12" +maturity = "production" +updated_date = "2021/10/15" +integration = "azure" + + +[rule] +author = ["Austin Songer"] +description = """ +Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can +be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted +internal traffic. +""" +false_positives = [ + """ + Full Network Packet Capture may be done by a system or network administrator. Verify whether the user identity, + user agent, and/or hostname should be making changes in your environment. Full Network Packet Capture from unfamiliar + users or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*", "logs-azure*"] +language = "kuery" +license = "Elastic License v2" +name = "Azure Full Network Packet Capture Detected" +note = """## Config + +The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +references = ["https://docs.microsoft.com/en-us/azure/role-based-access-control/resource-provider-operations"] +risk_score = 47 +rule_id = "3ad77ed4-4dcf-4c51-8bfc-e3f7ce316b2f" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Monitoring"] +severity = "medium" +timestamp_override = "event.ingested" +type = "query" + +query = ''' +event.dataset:azure.activitylogs and azure.activitylogs.operation_name: + ( + "MICROSOFT.NETWORK/*/STARTPACKETCAPTURE/ACTION" or + "MICROSOFT.NETWORK/*/VPNCONNECTIONS/STARTPACKETCAPTURE/ACTION" or + "MICROSOFT.NETWORK/*/PACKETCAPTURES/WRITE" + ) and +event.outcome:(Success or success) +''' + + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +reference = "https://attack.mitre.org/techniques/T1040/" +name = "Network Sniffing" +id = "T1040" + + +[rule.threat.tactic] +reference = "https://attack.mitre.org/tactics/TA0006/" +name = "Credential Access" +id = "TA0006"