From 6b31b96bf8a5bb43edb2a195768090caf8276e2a Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Tue, 15 Dec 2020 11:47:23 -0500 Subject: [PATCH] [New Rule] Azure Service Principal Addition (#717) * Create defense_evasion_azure_service_principal_addition.toml * Update defense_evasion_azure_service_principal_addition.toml * Update rules/azure/defense_evasion_azure_service_principal_addition.toml Co-authored-by: Justin Ibarra * Update rules/azure/defense_evasion_azure_service_principal_addition.toml Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> * lint Co-authored-by: Justin Ibarra Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com> --- ...sion_azure_service_principal_addition.toml | 58 +++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 rules/azure/defense_evasion_azure_service_principal_addition.toml diff --git a/rules/azure/defense_evasion_azure_service_principal_addition.toml b/rules/azure/defense_evasion_azure_service_principal_addition.toml new file mode 100644 index 000000000..ce6fce76f --- /dev/null +++ b/rules/azure/defense_evasion_azure_service_principal_addition.toml @@ -0,0 +1,58 @@ +[metadata] +creation_date = "2020/12/14" +maturity = "production" +updated_date = "2020/12/14" + +[rule] +author = ["Elastic"] +description = """ +Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that +accesses or modifies resources needs an identity created. This identity is known as a service principal. For security +reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with +a user identity. +""" +false_positives = [ + """ + A service principal may be created by a system or network administrator. Verify whether the username, hostname, + and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users + or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*", "logs-azure.*"] +language = "kuery" +license = "Elastic License" +name = "Azure Service Principal Addition" +note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." +references = [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal", +] +risk_score = 47 +rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50" +severity = "medium" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +type = "query" + +query = ''' +event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1550" +name = "Use Alternate Authentication Material" +reference = "https://attack.mitre.org/techniques/T1550/" +[[rule.threat.technique.subtechnique]] +id = "T1550.001" +name = "Application Access Token" +reference = "https://attack.mitre.org/techniques/T1550/001/" + + +[rule.threat.tactic] +id = "TA0005" +name = "Defense Evasion" +reference = "https://attack.mitre.org/tactics/TA0005/" +