From a34a26ddec5b77c5bd92701995a4f83dee7b34ce Mon Sep 17 00:00:00 2001 From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com> Date: Tue, 6 May 2025 11:19:50 -0400 Subject: [PATCH] [Rule Tuning] Excluding `Microsoft Entra ID Service Principal Addition` Invoked by MSFT Identity (#4700) * tuning rule to exclude service principals added by MSFT * added additional exclusions * updated rule name and file name * updated investigation guide and mitre --- ...ence_entra_service_principal_created.toml} | 59 +++++++++++-------- 1 file changed, 35 insertions(+), 24 deletions(-) rename rules/integrations/azure/{defense_evasion_azure_service_principal_addition.toml => persistence_entra_service_principal_created.toml} (72%) diff --git a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml b/rules/integrations/azure/persistence_entra_service_principal_created.toml similarity index 72% rename from rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml rename to rules/integrations/azure/persistence_entra_service_principal_created.toml index cad7d6eec..32bb180ec 100644 --- a/rules/integrations/azure/defense_evasion_azure_service_principal_addition.toml +++ b/rules/integrations/azure/persistence_entra_service_principal_created.toml @@ -2,15 +2,15 @@ creation_date = "2020/12/14" integration = ["azure"] maturity = "production" -updated_date = "2024/05/21" +updated_date = "2025/05/05" [rule] author = ["Elastic"] description = """ -Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that -accesses or modifies resources needs an identity created. This identity is known as a service principal. For security -reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with -a user identity. +Identifies when a new service principal is added in Microsoft Entra ID. An application, hosted service, or automated +tool that accesses or modifies resources needs an identity created. This identity is known as a service principal. For +security reasons, it's always recommended to use service principals with automated tools rather than allowing them to +log in with a user identity. """ false_positives = [ """ @@ -19,14 +19,14 @@ false_positives = [ or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule. """, ] -from = "now-25m" -index = ["filebeat-*", "logs-azure*"] +from = "now-9m" +index = ["filebeat-*", "logs-azure.auditlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Service Principal Addition" +name = "Microsoft Entra ID Service Principal Created" note = """## Triage and analysis -### Investigating Azure Service Principal Addition +### Investigating Microsoft Entra ID Service Principal Created Service Principals are identities used by applications, services, and automation tools to access specific resources. They grant specific access based on the assigned API permissions. Most organizations that work a lot with Azure AD make use of service principals. Whenever an application is registered, it automatically creates an application object and a service principal in an Azure AD tenant. @@ -63,47 +63,58 @@ If this rule is noisy in your environment due to expected activity, consider add - Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft. - Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector. - Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR). - -## Setup - -The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.""" +""" references = [ "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", "https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal", ] risk_score = 21 rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50" +setup = """### Microsft Entra ID Audit Logs +This rule requires the Azure integration with Microsoft Entra ID Audit Logs data stream ingesting in your Elastic Stack deployment. For more information, refer to the [Microsoft Entra ID Audit Logs integration documentation](https://www.elastic.co/docs/reference/integrations/azure/adlogs). +""" severity = "low" tags = [ "Domain: Cloud", "Data Source: Azure", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Audit Logs", "Use Case: Identity and Access Audit", "Resources: Investigation Guide", - "Tactic: Defense Evasion", + "Tactic: Persistence", ] timestamp_override = "event.ingested" type = "query" query = ''' -event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success) +event.dataset:azure.auditlogs + and azure.auditlogs.operation_name:"Add service principal" + and event.outcome:(success or Success) + and not azure.auditlogs.identity: ( + "Managed Service Identity" or + "Windows Azure Service Management API" or + "Microsoft Azure AD Internal - Jit Provisioning" or + "AAD App Management" or + "Power Virtual Agents Service" + ) ''' [[rule.threat]] framework = "MITRE ATT&CK" [[rule.threat.technique]] -id = "T1550" -name = "Use Alternate Authentication Material" -reference = "https://attack.mitre.org/techniques/T1550/" +id = "T1136" +name = "Create Account" +reference = "https://attack.mitre.org/techniques/T1136/" [[rule.threat.technique.subtechnique]] -id = "T1550.001" -name = "Application Access Token" -reference = "https://attack.mitre.org/techniques/T1550/001/" +id = "T1136.003" +name = "Cloud Account" +reference = "https://attack.mitre.org/techniques/T1136/003/" [rule.threat.tactic] -id = "TA0005" -name = "Defense Evasion" -reference = "https://attack.mitre.org/tactics/TA0005/" +id = "TA0003" +name = "Persistence" +reference = "https://attack.mitre.org/tactics/TA0003/"