security-tools/sigma-rules
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fda139f4bf13cd379cc8612cab1f4da1f61ba23f
sigma-rules/rules/integrations/azure/persistence_azure_application_credential_modification.toml
T
Terrance DeJesus b474a81ead [Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows (#5155) 
* [Rule Tuning] Update Azure / M365 Index Patterns and Lookback Windows
<!--
Thank you for your interest in and contributing to Detection Rules!
There are a few simple things to check before submitting your pull request
that can help with the review process. You should delete these items
from your submission, but they are here to help bring them to your attention.
-->
# Pull Request

*Issue link(s)*:
* https://github.com/elastic/detection-rules/issues/5154

<!--
  Add Related Issues / PRs for context. Eg:
    Related to elastic/repo#999
    Resolves #123
  If there is no issue link, take extra care to write a clear summary and label the PR just as you would label an issue to give additional context to reviewers.
-->

## Summary - What I changed
Adjusts Azure / M365 rules regarding lookback windows, interval and index scopes. Please see related issue for more details.

<!--
  Summarize your PR. Animated gifs are 💯. Code snippets are ️. Examples & screenshots are 🔥
-->

## How To Test

<!--
  Some examples of what you could include here are:
  * Links to GitHub action results for CI test improvements
  * Sample data before/after screenshots (or short videos showing how something works)
  * Copy/pasted commands and output from the testing you did in your local terminal window
  * If tests run in GitHub, you can 🪁or 🔱, respectively, to indicate tests will run in CI
  * Query used in your stack to verify the change
-->

## Checklist

<!-- Delete any items that are not applicable to this PR. -->

- [ ] Added a label for the type of pr: `bug`, `enhancement`, `schema`, `maintenance`, `Rule: New`, `Rule: Deprecation`, `Rule: Tuning`, `Hunt: New`, or `Hunt: Tuning` so guidelines can be generated
- [ ] Added the `meta:rapid-merge` label if planning to merge within 24 hours
- [ ] Secret and sensitive material has been managed correctly
- [ ] Automated testing was updated or added to match the most common scenarios
- [ ] Documentation and comments were added for features that require explanation

## Contributor checklist

- Have you signed the [contributor license agreement](https://www.elastic.co/contributor-agreement)?
- Have you followed the [contributor guidelines](https://github.com/elastic/detection-rules/blob/main/CONTRIBUTING.md)?

* fixing timestamps

* Update rules/integrations/azure/initial_access_entra_illicit_consent_grant_via_registered_application.toml

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>

* Update rules/integrations/azure/credential_access_azure_key_vault_excessive_retrieval.toml

Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>

* update dates

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

* Update rules/integrations/o365/initial_access_microsoft_365_illicit_consent_grant_via_registered_application.toml

---------

Co-authored-by: Isai <59296946+imays11@users.noreply.github.com>
Co-authored-by: Jonhnathan <26856693+w0rk3r@users.noreply.github.com>
2025-09-30 15:51:50 -04:00

105 lines
6.3 KiB
TOML
Raw Blame History

[metadata]
creation_date = "2020/12/14"
integration = ["azure"]
maturity = "production"
updated_date = "2025/09/30"
[rule]
author = ["Elastic"]
description = """
Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret
string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application
and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an
environment.
"""
false_positives = [
"""
Application credential additions may be done by a system or network administrator. Verify whether the username,
hostname, and/or resource name should be making changes in your environment. Application credential additions from
unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
from the rule.
""",
]
from = "now-9m"
index = ["logs-azure.auditlogs-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Application Credential Modification"
note = """## Triage and analysis
> **Disclaimer**:
> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
### Investigating Azure Application Credential Modification
Azure applications use credentials like certificates or secret strings for identity verification during token requests. Adversaries may exploit this by adding unauthorized credentials, enabling persistent access or evading defenses. The detection rule monitors audit logs for successful updates to application credentials, flagging potential misuse by identifying unauthorized credential modifications.
### Possible investigation steps
- Review the Azure audit logs to identify the specific application that had its credentials updated, focusing on entries with the operation name "Update application - Certificates and secrets management" and a successful outcome.
- Determine the identity of the user or service principal that performed the credential modification by examining the associated user or principal ID in the audit log entry.
- Investigate the context of the credential modification by checking for any recent changes or unusual activities related to the application, such as modifications to permissions or roles.
- Assess the legitimacy of the new credential by verifying if it aligns with expected operational procedures or if it was authorized by a known and trusted entity.
- Check for any additional suspicious activities in the audit logs around the same timeframe, such as failed login attempts or other modifications to the application, to identify potential indicators of compromise.
- Contact the application owner or relevant stakeholders to confirm whether the credential addition was expected and authorized, and gather any additional context or concerns they might have.
### False positive analysis
- Routine credential updates by authorized personnel can trigger alerts. Regularly review and document credential management activities to distinguish between legitimate and suspicious actions.
- Automated processes or scripts that update application credentials as part of maintenance or deployment cycles may cause false positives. Identify and whitelist these processes to prevent unnecessary alerts.
- Credential updates during application scaling or migration might be flagged. Coordinate with IT teams to schedule these activities and temporarily adjust monitoring thresholds or exclusions.
- Third-party integrations that require periodic credential updates can be mistaken for unauthorized changes. Maintain an inventory of such integrations and establish baseline behaviors to filter out benign activities.
- Frequent updates by specific service accounts could be part of normal operations. Monitor these accounts separately and consider creating exceptions for known, non-threatening patterns.
### Response and remediation
- Immediately revoke the unauthorized credentials by accessing the Azure portal and removing any suspicious certificates or secret strings associated with the affected application.
- Conduct a thorough review of the application's access logs to identify any unauthorized access or actions performed using the compromised credentials.
- Reset and update all legitimate credentials for the affected application to ensure no further unauthorized access can occur.
- Notify the security team and relevant stakeholders about the incident, providing details of the unauthorized credential modification and any potential impact.
- Implement additional monitoring on the affected application to detect any further unauthorized changes or access attempts.
- Review and tighten access controls and permissions for managing application credentials to prevent unauthorized modifications in the future.
- If necessary, escalate the incident to higher-level security management or external cybersecurity experts for further investigation and response.
## Setup
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
]
risk_score = 47
rule_id = "1a36cace-11a7-43a8-9a10-b497c5a02cd3"
severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Use Case: Identity and Access Audit",
"Tactic: Persistence",
"Resources: Investigation Guide",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update application - Certificates and secrets management" and event.outcome:(success or Success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1098"
name = "Account Manipulation"
reference = "https://attack.mitre.org/techniques/T1098/"
[[rule.threat.technique.subtechnique]]
id = "T1098.001"
name = "Additional Cloud Credentials"
reference = "https://attack.mitre.org/techniques/T1098/001/"
[rule.threat.tactic]
id = "TA0003"
name = "Persistence"
reference = "https://attack.mitre.org/tactics/TA0003/"
Reference in New Issue View Git Blame Copy Permalink