Jonhnathan
b4c84e8a40
* Update Tags * Bump updated date separately to be easy to revert if needed * Update resource_development_ml_linux_anomalous_compiler_activity.toml * Apply changes from the discussion * Update persistence_init_d_file_creation.toml * Update defense_evasion_timestomp_sysmon.toml * Update defense_evasion_application_removed_from_blocklist_in_google_workspace.toml * Update missing Tactic tags * Update unit tests to match new tags * Add missing IG tags * Delete okta_threat_detected_by_okta_threatinsight.toml * Update command_and_control_google_drive_malicious_file_download.toml * Update persistence_rc_script_creation.toml * Mass bump * Update persistence_shell_activity_by_web_server.toml * . --------- Co-authored-by: Mika Ayenson <Mika.ayenson@elastic.co> Co-authored-by: Mika Ayenson <Mikaayenson@users.noreply.github.com>
70 lines
2.5 KiB
TOML
70 lines
2.5 KiB
TOML
[metadata]
|
|
creation_date = "2020/08/31"
|
|
integration = ["azure"]
|
|
maturity = "production"
|
|
min_stack_comments = "New fields added: required_fields, related_integrations, setup"
|
|
min_stack_version = "8.3.0"
|
|
updated_date = "2023/06/22"
|
|
|
|
[rule]
|
|
author = ["Elastic"]
|
|
description = """
|
|
Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include
|
|
collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account.
|
|
Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users
|
|
could potentially be overlooked indefinitely leading to a potential vulnerability.
|
|
"""
|
|
false_positives = [
|
|
"""
|
|
Guest user invitations may be sent out by a system or network administrator. Verify whether the username, hostname,
|
|
and/or resource name should be making changes in your environment. Guest user invitations from unfamiliar users or
|
|
hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
|
|
""",
|
|
]
|
|
from = "now-25m"
|
|
index = ["filebeat-*", "logs-azure*"]
|
|
language = "kuery"
|
|
license = "Elastic License v2"
|
|
name = "Azure External Guest User Invitation"
|
|
note = """## Setup
|
|
|
|
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
|
|
references = ["https://docs.microsoft.com/en-us/azure/governance/policy/samples/cis-azure-1-1-0"]
|
|
risk_score = 21
|
|
rule_id = "141e9b3a-ff37-4756-989d-05d7cbf35b0e"
|
|
severity = "low"
|
|
tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Initial Access"]
|
|
timestamp_override = "event.ingested"
|
|
type = "query"
|
|
|
|
query = '''
|
|
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Invite external user" and azure.auditlogs.properties.target_resources.*.display_name:guest and event.outcome:(Success or success)
|
|
'''
|
|
|
|
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0001"
|
|
name = "Initial Access"
|
|
reference = "https://attack.mitre.org/tactics/TA0001/"
|
|
[[rule.threat]]
|
|
framework = "MITRE ATT&CK"
|
|
[[rule.threat.technique]]
|
|
id = "T1078"
|
|
name = "Valid Accounts"
|
|
reference = "https://attack.mitre.org/techniques/T1078/"
|
|
|
|
|
|
[rule.threat.tactic]
|
|
id = "TA0003"
|
|
name = "Persistence"
|
|
reference = "https://attack.mitre.org/tactics/TA0003/"
|
|
|