security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Global Administrator Role Addition to PIM User (#336)

Browse Source 
* Create persistence_azure_pim_user_added_global_admin.toml

* tweak syntax for readability

* Update additional rule name to match others naming convention

* Delete defense_evasion_azure_diagnostic_settings_deletion.toml

* tweak rule name

* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>

* Update rules/azure/persistence_azure_pim_user_added_global_admin.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

* update description and lint

* small naming tweak for consistency

Co-authored-by: David French <56409778+threat-punter@users.noreply.github.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>
This commit is contained in:
Brent Murphy
2020-09-28 10:45:59 -04:00
committed by GitHub
parent 3c0d982d8f
commit 7857787328
1 changed files with 58 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/azure/persistence_azure_pim_user_added_global_admin.toml
+58
View File
@@ -0,0 +1,58 @@
[metadata]
creation_date = "2020/09/24"
ecs_version = ["1.6.0"]
maturity = "production"
updated_date = "2020/09/24"
[rule]
author = ["Elastic"]
description = """
Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM)
user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an
organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in
your Azure AD organization.
"""
false_positives = [
"""
Global administrator additions may be done by a system or network administrator. Verify whether the username,
hostname, and/or resource name should be making changes in your environment. Global administrator additions from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
index = ["filebeat-*"]
language = "kuery"
license = "Elastic License"
name = "Azure Global Administrator Role Addition to PIM User"
note = "The Azure Filebeat module must be enabled to use this rule."
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
]
risk_score = 73
rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8"
severity = "high"
tags = ["Elastic", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
type = "query"
query = '''
event.module:azure and azure.auditlogs.properties.category:RoleManagement and
azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or
"Add member to role in PIM completed (timebound)") and
azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and
event.outcome:Success
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"