From ba16e27edb87b8613dd7ddccabe3a7dc77a2bbdf Mon Sep 17 00:00:00 2001
From: Terrance DeJesus <99630311+terrancedejesus@users.noreply.github.com>
Date: Wed, 16 Apr 2025 13:58:17 -0400
Subject: [PATCH] [Rule Tuning] Tuning `Azure Service Principal Credentials
 Added` (#4570)

* tuning 'Azure Service Principal Credentials Added'

* updated patch version

* added investigation guide

* updating patch version

* updating patch version
---
 detection_rules/etc/non-ecs-schema.json       |   1 +
 ...principal_credentials_added_to_rare_app.md |  62 ++++++++++
 ...incipal_credentials_added_to_rare_app.toml |  48 +++++++
 hunting/index.md                              |   1 +
 hunting/index.yml                             |   5 +
 pyproject.toml                                |   2 +-
 ...e_service_principal_credentials_added.toml |  92 --------------
 ...e_service_principal_credentials_added.toml | 117 ++++++++++++++++++
 8 files changed, 235 insertions(+), 93 deletions(-)
 create mode 100644 hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md
 create mode 100644 hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
 delete mode 100644 rules/integrations/azure/impact_azure_service_principal_credentials_added.toml
 create mode 100644 rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml

diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json
index e53607fec..dd3eac23c 100644
--- a/detection_rules/etc/non-ecs-schema.json
+++ b/detection_rules/etc/non-ecs-schema.json
@@ -173,6 +173,7 @@
   "logs-azure.signinlogs-*": {
     "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
     "azure.signinlogs.properties.original_transfer_method": "keyword",
+    "azure.auditlogs.properties.target_resources.0.display_name": "keyword",
     "azure.signinlogs.properties.authentication_details.authentication_method": "keyword"
   },
   "logs-azure.activitylogs-*": {
diff --git a/hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md b/hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md
new file mode 100644
index 000000000..79f5b588b
--- /dev/null
+++ b/hunting/azure/docs/entra_service_principal_credentials_added_to_rare_app.md
@@ -0,0 +1,62 @@
+# Microsoft Entra ID Credentials Added to Rare Service Principal
+
+---
+
+## Metadata
+
+- **Author:** Elastic
+- **Description:** This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. 
+- **UUID:** `d2dd0288-0a8c-11f0-b738-f661ea17fbcc`
+- **Integration:** [azure](https://docs.elastic.co/integrations/azure)
+- **Language:** `[ES|QL]`
+- **Source File:** [Microsoft Entra ID Credentials Added to Rare Service Principal](../queries/entra_service_principal_credentials_added_to_rare_app.toml)
+
+## Query
+
+```sql
+FROM logs-azure.auditlogs*
+| WHERE
+    // filter on Microsoft Entra Audit Logs
+    // filter for service principal credentials being added
+    event.dataset == "azure.auditlogs"
+    and azure.auditlogs.operation_name == "Add service principal credentials"
+    and event.outcome == "success"
+| EVAL
+    // SLICE n0 of requests values for specific Client App ID
+    // Cast Client App ID to STRING type
+    azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING
+| WHERE
+    // REGEX on Client APP ID for UUIDv4
+    azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"""
+| EVAL
+    // BUCKET events weekly
+    timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp)
+| STATS
+    // Aggregate weekly occurrences by Client App ID, User ID
+    weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY
+        azure.auditlogs.properties.additional_details.appId,
+        azure.auditlogs.properties.initiated_by.user.id
+| WHERE weekly_user_app_occurrence_count == 1
+```
+
+## Notes
+
+- This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id`
+- Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application.
+- The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events.
+- The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account.
+- Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value.
+- Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment.
+
+## MITRE ATT&CK Techniques
+
+- [T1098.001](https://attack.mitre.org/techniques/T1098/001)
+
+## References
+
+- https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452
+- https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/
+
+## License
+
+- `Elastic License v2`
diff --git a/hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml b/hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
new file mode 100644
index 000000000..5a54df915
--- /dev/null
+++ b/hunting/azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
@@ -0,0 +1,48 @@
+[hunt]
+author = "Elastic"
+description = """This hunting query gathers evidence of a compromised Microsoft Entra ID identity creating new credentials for a service principal. This may indicate that an attacker has hijacked an Application Administrative entity and is attempting to use it escalate privileges by adding backdoor credentials to a service principal. Service principals are often used to manage permissions and access to resources in Azure, making them a valuable target for attackers. """
+integration = ["azure"]
+uuid = "d2dd0288-0a8c-11f0-b738-f661ea17fbcc"
+name = "Microsoft Entra ID Credentials Added to Rare Service Principal"
+language = ["ES|QL"]
+license = "Elastic License v2"
+notes = [
+    "This is an ES|QL query, therefore results are returned in a tabular format. Pivot into related events using the `azure.auditlogs.properties.initiated_by.user.id`",
+    "Review `azure.auditlogs.properties.additional_details.appId` to verify the Client App ID. This should be a known application in your environment. Check if it is an Azure-managed application, custom application, or a third-party application.",
+    "The `azure.auditlogs.properties.additional_details.appId` value will be available in `azure.auditlogs.properties.additional_details.value` when triaging the original events.",
+    "The `azure.auditlogs.properties.initiated_by.user.id` may be a hijacked account with elevated privileges. Review the user account to determine if it is a known administrative account or a compromised account.",
+    "Review `azure.auditlogs.properties.target_resources.0.display_name` to verify the service principal name. This correlates directly to the `azure.auditlogs.properties.additional_details.appId` value.",
+    "Identify potential authentication events from the service principal the credentials were added to. This may indicate that the service principal is being used to access resources in your environment."
+]
+mitre = ['T1098.001']
+references = [
+    "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452",
+    "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/"
+]
+query = [
+'''
+FROM logs-azure.auditlogs*
+| WHERE
+    // filter on Microsoft Entra Audit Logs
+    // filter for service principal credentials being added
+    event.dataset == "azure.auditlogs"
+    and azure.auditlogs.operation_name == "Add service principal credentials"
+    and event.outcome == "success"
+| EVAL
+    // SLICE n0 of requests values for specific Client App ID
+    // Cast Client App ID to STRING type
+    azure.auditlogs.properties.additional_details.appId = MV_SLICE(azure.auditlogs.properties.additional_details.value, 0)::STRING
+| WHERE
+    // REGEX on Client APP ID for UUIDv4
+    azure.auditlogs.properties.additional_details.appId RLIKE """[0-9a-fA-F]{8}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{4}-[0-9a-fA-F]{12}"""
+| EVAL
+    // BUCKET events weekly
+    timestamp_week_bucket = DATE_TRUNC(7 day, @timestamp)
+| STATS
+    // Aggregate weekly occurrences by Client App ID, User ID
+    weekly_user_app_occurrence_count = COUNT_DISTINCT(timestamp_week_bucket) BY
+        azure.auditlogs.properties.additional_details.appId,
+        azure.auditlogs.properties.initiated_by.user.id
+| WHERE weekly_user_app_occurrence_count == 1
+'''
+]
\ No newline at end of file
diff --git a/hunting/index.md b/hunting/index.md
index 1714b29b2..eca7a9b05 100644
--- a/hunting/index.md
+++ b/hunting/index.md
@@ -36,6 +36,7 @@ Here are the queries currently available:
 - [Azure Entra Excessive Single-Factor Non-Interactive Sign-Ins](./azure/docs/entra_excessive_non_interactive_sfa_sign_ins_across_users.md) (ES|QL)
 - [Azure Entra Unusual Client App Authentication Requests on Behalf of Principal Users](./azure/docs/entra_unusual_client_app_auth_request_on_behalf_of_user.md) (ES|QL)
 - [Azure Entra Unusual Failed Authentication Attempts Behind Rare User Agents](./azure/docs/entra_authentication_attempts_behind_rare_user_agents.md) (ES|QL)
+- [Microsoft Entra ID Credentials Added to Rare Service Principal](./azure/docs/entra_service_principal_credentials_added_to_rare_app.md) (ES|QL)
 
 
 ## linux
diff --git a/hunting/index.yml b/hunting/index.yml
index 93903f0d7..d5c7fbdc3 100644
--- a/hunting/index.yml
+++ b/hunting/index.yml
@@ -687,3 +687,8 @@ azure:
     mitre:
     - T1078.004
     - T1110.003
+  d2dd0288-0a8c-11f0-b738-f661ea17fbcc:
+    name: Microsoft Entra ID Credentials Added to Rare Service Principal
+    path: ./azure/queries/entra_service_principal_credentials_added_to_rare_app.toml
+    mitre:
+    - T1098.001
diff --git a/pyproject.toml b/pyproject.toml
index 4ddef332a..1f8c928ef 100644
--- a/pyproject.toml
+++ b/pyproject.toml
@@ -1,6 +1,6 @@
 [project]
 name = "detection_rules"
-version = "1.0.8"
+version = "1.0.9"
 description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
 readme = "README.md"
 requires-python = ">=3.12"
diff --git a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml b/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml
deleted file mode 100644
index a963a5733..000000000
--- a/rules/integrations/azure/impact_azure_service_principal_credentials_added.toml
+++ /dev/null
@@ -1,92 +0,0 @@
-[metadata]
-creation_date = "2021/05/05"
-integration = ["azure"]
-maturity = "production"
-updated_date = "2025/01/15"
-
-[rule]
-author = ["Elastic", "Austin Songer"]
-description = """
-Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be
-added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with
-granted permissions will allow the attacker to access data that is normally protected by MFA requirements.
-"""
-false_positives = [
-    """
-    Service principal credential additions may be done by a system or network administrator. Verify whether the
-    username, hostname, and/or resource name should be making changes in your environment. Credential additions from
-    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
-    from the rule.
-    """,
-]
-from = "now-25m"
-index = ["filebeat-*", "logs-azure*"]
-interval = "10m"
-language = "kuery"
-license = "Elastic License v2"
-name = "Azure Service Principal Credentials Added"
-note = """## Triage and analysis
-
-> **Disclaimer**:
-> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
-
-### Investigating Azure Service Principal Credentials Added
-
-Azure Service Principals are identities used by applications or services to access Azure resources securely. They are typically granted specific permissions, and credentials are rarely updated. Adversaries may exploit this by adding unauthorized credentials, gaining access to sensitive data without triggering MFA. The detection rule monitors audit logs for successful additions of service principal credentials, flagging potential unauthorized access attempts.
-
-### Possible investigation steps
-
-- Review the Azure audit logs to identify the specific service principal for which credentials were added, focusing on entries with the operation name "Add service principal credentials" and a successful outcome.
-- Determine the identity of the user or application that performed the credential addition by examining the associated user or application ID in the audit log entry.
-- Investigate the permissions and roles assigned to the affected service principal to assess the potential impact of unauthorized access.
-- Check for any recent changes or unusual activity associated with the service principal, such as modifications to permissions or unexpected resource access patterns.
-- Correlate the event with other security logs and alerts to identify any related suspicious activities or potential indicators of compromise within the environment.
-- Contact the owner or responsible team for the service principal to verify if the credential addition was authorized and legitimate.
-
-### False positive analysis
-
-- Routine credential updates for service principals used in automated deployment processes can trigger alerts. To manage this, identify and document these processes, then create exceptions for known service principals involved in regular updates.
-- Credential additions by authorized IT personnel during scheduled maintenance or upgrades may be flagged. Implement a change management process to log and verify these activities, allowing you to exclude them from triggering alerts.
-- Integration of new third-party applications that require service principal credentials might cause false positives. Maintain an inventory of approved third-party integrations and exclude their credential additions from monitoring.
-- Development and testing environments often see frequent credential changes. Segregate these environments from production in your monitoring setup to reduce unnecessary alerts.
-- Credential rotations as part of security best practices can be mistaken for unauthorized additions. Establish a schedule for credential rotations and configure your monitoring to recognize these as legitimate activities.
-
-### Response and remediation
-
-- Immediately revoke the newly added credentials for the affected Azure Service Principal to prevent unauthorized access.
-- Conduct a thorough review of the audit logs to identify any unauthorized activities performed using the compromised Service Principal credentials.
-- Reset and update the credentials for the affected Service Principal, ensuring they are stored securely and access is restricted to authorized personnel only.
-- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized credential addition and any potential data access.
-- Implement additional monitoring on the affected Service Principal and related resources to detect any further suspicious activities.
-- Review and tighten the permissions granted to the Service Principal to ensure they follow the principle of least privilege.
-- Consider enabling conditional access policies or additional security measures, such as IP whitelisting, to enhance protection against similar threats in the future.
-
-## Setup
-
-The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
-references = ["https://www.fireeye.com/content/dam/collateral/en/wp-m-unc2452.pdf"]
-risk_score = 47
-rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4"
-severity = "medium"
-tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Impact", "Resources: Investigation Guide"]
-timestamp_override = "event.ingested"
-type = "query"
-
-query = '''
-event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal credentials" and event.outcome:(success or Success)
-'''
-
-
-[[rule.threat]]
-framework = "MITRE ATT&CK"
-[[rule.threat.technique]]
-id = "T1496"
-name = "Resource Hijacking"
-reference = "https://attack.mitre.org/techniques/T1496/"
-
-
-[rule.threat.tactic]
-id = "TA0040"
-name = "Impact"
-reference = "https://attack.mitre.org/tactics/TA0040/"
-
diff --git a/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml b/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml
new file mode 100644
index 000000000..42a77a913
--- /dev/null
+++ b/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml
@@ -0,0 +1,117 @@
+[metadata]
+creation_date = "2021/05/05"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/03/26"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations,
+credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or
+certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA
+requirements.
+"""
+false_positives = [
+    """
+    Service principal credential additions may be done by a system or network administrator. Verify whether the
+    username, hostname, and/or resource name should be making changes in your environment. Credential additions from
+    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
+    from the rule.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-azure*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft Entra ID Service Principal Credentials Added by Rare User"
+note = """## Triage and analysis
+
+### Investigating Microsoft Entra ID Service Principal Credentials Added by Rare User
+
+This rule identifies the addition of new credentials (client secrets or certificates) to a Microsoft Entra ID (formerly Azure AD) service principal by a user who has not previously performed this operation in the last 10 days. Adversaries who obtain temporary or persistent access to a user account may add rogue credentials to service principals in order to maintain unauthorized access to cloud resources.
+
+This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects rare users performing sensitive identity-related actions in Entra ID.
+
+#### Possible Investigation Steps
+- Identify the Actor: Review the `azure.auditlogs.properties.initiated_by.user.user_principal_name` and `azure.auditlogs.properties.initiated_by.user.id` fields to identify the user account performing the action. Determine if this user typically manages service principals.
+- Check for Known Admin or Automation Context: Validate if the action was expected (e.g., part of a deployment pipeline or credential rotation process). Investigate whether this is a known administrative account or an automated service principal maintainer.
+- Inspect Credential Type: Determine if a certificate or client secret was added, and assess its expiration time, usage scope, and whether it aligns with internal practices.
+- Correlate with Other Events: Look for surrounding events such as creation of new service principals, assignment of roles or permissions, or suspicious application sign-ins that could indicate persistence or privilege escalation.
+- Analyze Source of Activity: Review `source.ip` and `user_agent.original` fields to assess whether the request came from a trusted network or device. Unexpected geolocations, hosting providers, or Linux CLI-based user agents may indicate unauthorized activity.
+
+### False Positive Analysis
+- Routine Administrative Tasks: This alert may trigger when legitimate administrators or DevOps engineers rotate credentials for service principals as part of normal operations.
+- First-Time Actions by Known Accounts: If a new user joins the team or an existing user is performing this task for the first time in the observed period, it may be expected behavior. Verify with the relevant team.
+
+### Response and Remediation
+- Revoke Unauthorized Credentials: If suspicious, disable or delete the newly added service principal credential immediately.
+- Investigate User Account: Review the login history, IP address usage, and other activity from the initiating user to determine whether the account is compromised.
+- Audit Affected Service Principal: Evaluate the permissions granted to the service principal to understand the potential impact of misuse.
+- Review RBAC and Least Privilege: Ensure that only authorized identities have permission to add credentials to service principals. Tighten IAM role definitions if necessary.
+- Enable Just-in-Time or Approval-Based Access: Consider implementing access control policies that require approvals for modifying service principals or adding credentials.
+
+### Additional Information
+
+For more information on securing Microsoft Entra ID applications and service principals, refer to:
+- [Hardening Microsoft 365 and Azure AD – Google Threat Intelligence](https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452)
+- [Azure AD Privilege Escalation – Dirkjan Mollema](https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/)
+- [Microsoft Entra Best Practices](https://learn.microsoft.com/en-us/entra/fundamentals/security-best-practices)
+"""
+
+references = [
+    "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452",
+    "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/",
+]
+risk_score = 47
+rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "azure.auditlogs"
+    and azure.auditlogs.operation_name:"Add service principal credentials"
+    and event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = [
+    "azure.auditlogs.properties.target_resources.0.display_name",
+    "azure.auditlogs.properties.initiated_by.user.id",
+]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
+