From c5cae5c437fa8edde62d1411825ef73a70c58745 Mon Sep 17 00:00:00 2001 From: Brent Murphy <56412096+bm11100@users.noreply.github.com> Date: Tue, 15 Dec 2020 11:52:43 -0500 Subject: [PATCH] [New Rule] Azure Active Directory PowerShell Sign-in (#718) * Create initial_access_azure_active_directory_powershell_signon.toml * Apply suggestions from code review Co-authored-by: Justin Ibarra * Update initial_access_azure_active_directory_powershell_signin.toml Co-authored-by: Justin Ibarra --- ...re_active_directory_powershell_signin.toml | 57 +++++++++++++++++++ 1 file changed, 57 insertions(+) create mode 100644 rules/azure/initial_access_azure_active_directory_powershell_signin.toml diff --git a/rules/azure/initial_access_azure_active_directory_powershell_signin.toml b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml new file mode 100644 index 000000000..0691495db --- /dev/null +++ b/rules/azure/initial_access_azure_active_directory_powershell_signin.toml @@ -0,0 +1,57 @@ +[metadata] +creation_date = "2020/12/14" +maturity = "production" +updated_date = "2020/12/14" + +[rule] +author = ["Elastic"] +description = """ +Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows +for managing settings from the command line, which is intended for users who are members of an admin role. +""" +false_positives = [ + """ + Sign-ins using PowerShell may be done by a system or network administrator. Verify whether the username, hostname, + and/or resource name should be signing into your environment. Sign-ins from unfamiliar users or hosts should be + investigated. If known behavior is causing false positives, it can be exempted from the rule. + """, +] +from = "now-25m" +index = ["filebeat-*", "logs-azure.*"] +language = "kuery" +license = "Elastic License" +name = "Azure Active Directory PowerShell Sign-in" +note = "The Azure Fleet Integration or Filebeat module must be enabled to use this rule." +references = [ + "https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/", + "https://docs.microsoft.com/en-us/microsoft-365/enterprise/connect-to-microsoft-365-powershell?view=o365-worldwide", +] +risk_score = 21 +rule_id = "a605c51a-73ad-406d-bf3a-f24cc41d5c97" +severity = "low" +tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"] +type = "query" + +query = ''' +event.dataset:azure.signinlogs and + azure.signinlogs.properties.app_display_name:"Azure Active Directory PowerShell" and + azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success) +''' + + +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1078" +name = "Valid Accounts" +reference = "https://attack.mitre.org/techniques/T1078/" +[[rule.threat.technique.subtechnique]] +id = "T1078.004" +name = "Cloud Accounts" +reference = "https://attack.mitre.org/techniques/T1078/004/" + + +[rule.threat.tactic] +id = "TA0001" +name = "Initial Access" +reference = "https://attack.mitre.org/tactics/TA0001/"