security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Service Principal Addition (#717)

Browse Source 
* Create defense_evasion_azure_service_principal_addition.toml

* Update defense_evasion_azure_service_principal_addition.toml

* Update rules/azure/defense_evasion_azure_service_principal_addition.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* Update rules/azure/defense_evasion_azure_service_principal_addition.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* lint

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-12-15 11:47:23 -05:00
committed by GitHub
parent 84ab3db48c
commit 6b31b96bf8
1 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/defense_evasion_azure_service_principal_addition.toml
+58
View File
@@ -0,0 +1,58 @@
[metadata]
creation_date = "2020/12/14"
maturity = "production"
updated_date = "2020/12/14"
[rule]
author = ["Elastic"]
description = """
Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that
accesses or modifies resources needs an identity created. This identity is known as a service principal. For security
reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with
a user identity.
"""
false_positives = [
"""
A service principal may be created by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users
or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure.*"]
language = "kuery"
license = "Elastic License"
name = "Azure Service Principal Addition"
note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule."
references = [
"https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
"https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal",
]
risk_score = 47
rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"