security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

[New Rule] Azure Active Directory High Risk User AtRisk or Confirmed (#1579)

Browse Source 
* Create initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>

* Update rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml

Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

Co-authored-by: Jonhnathan <jonhnathancesar@gmail.com>
Co-authored-by: Justin Ibarra <brokensound77@users.noreply.github.com>

(cherry picked from commit 3dd32608a0)
This commit is contained in:
Austin Songer
2021-11-17 16:38:12 -06:00
committed by github-actions[bot]
parent 3f3328a630
commit ffcca8239e
1 changed files with 52 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
rules/integrations/azure/initial_access_azure_active_directory_high_risk_signin_atrisk_or_confirmed.toml
+52
View File
@@ -0,0 +1,52 @@
[metadata]
creation_date = "2021/10/18"
maturity = "production"
updated_date = "2021/10/18"
integration = "azure"
[rule]
author = ["Austin Songer"]
description = """
Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning
and heuristics.
"""
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Active Directory High Risk User Sign-in Heuristic"
note = """## Config
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-azure-monitor-sign-ins-log-schema",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk",
]
risk_score = 47
rule_id = "26edba02-6979-4bce-920a-70b080a7be81"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.signinlogs and
azure.signinlogs.properties.risk_state:("confirmedCompromised" or "atRisk") and event.outcome:(success or Success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"