security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Resource Group Deletion (#158)

Browse Source 
* Create impact_resource_group_deletion.toml

* Update rules/azure/impact_resource_group_deletion.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-03 17:06:43 -04:00
committed by GitHub
parent 1f555c289f
commit 6b04105936
1 changed files with 67 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/impact_resource_group_deletion.toml
+67
View File
@@ -0,0 +1,67 @@
[metadata]
creation_date = "2020/08/17"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/08/17"
[rule]
author = ["Elastic"]
description = """
Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is
permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally
destroy data.
"""
false_positives = [
"""
Deletion of a resource group may be done by a system or network administrator. Verify whether the username,
hostname, and/or resource name should be making changes in your environment. Resource group deletions from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Resource Group Deletion"
note = "The Azure Filebeat module must be enabled to use this rule."
references = [
"https://docs.microsoft.com/en-us/azure/azure-resource-manager/management/manage-resource-groups-portal",
]
risk_score = 47
rule_id = "bb4fe8d2-7ae2-475c-8b5d-55b449e4264f"
severity = "medium"
tags = ["Elastic", "Azure", "SecOps", "Continuous Monitoring", "Logging"]
type = "query"
query = '''
event.module:azure and event.dataset:azure.activitylogs and event.category:Administrative and azure.activitylogs.operation_name:MICROSOFT.RESOURCES/SUBSCRIPTIONS/RESOURCEGROUPS/DELETE and event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1485"
name = "Data Destruction"
reference = "https://attack.mitre.org/techniques/T1485/"
[rule.threat.tactic]
id = "TA0040"
name = "Impact"
reference = "https://attack.mitre.org/tactics/TA0040/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1089"
name = "Disabling Security Tools"
reference = "https://attack.mitre.org/techniques/T1089/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"