forked from elastic/detection-rules
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathdefense_evasion_azure_service_principal_addition.toml
63 lines (54 loc) · 2.23 KB
/
defense_evasion_azure_service_principal_addition.toml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
[metadata]
creation_date = "2020/12/14"
maturity = "production"
updated_date = "2021/07/20"
integration = "azure"
[rule]
author = ["Elastic"]
description = """
Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that
accesses or modifies resources needs an identity created. This identity is known as a service principal. For security
reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with
a user identity.
"""
false_positives = [
"""
A service principal may be created by a system or network administrator. Verify whether the username, hostname,
and/or resource name should be making changes in your environment. Service principal additions from unfamiliar users
or hosts should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
""",
]
from = "now-25m"
index = ["filebeat-*", "logs-azure*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Service Principal Addition"
note = """## Config
The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
references = [
"https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/",
"https://docs.microsoft.com/en-us/azure/active-directory/develop/howto-create-service-principal-portal",
]
risk_score = 47
rule_id = "60b6b72f-0fbc-47e7-9895-9ba7627a8b50"
severity = "medium"
tags = ["Elastic", "Cloud", "Azure", "Continuous Monitoring", "SecOps", "Identity and Access"]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Add service principal" and event.outcome:(success or Success)
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1550"
name = "Use Alternate Authentication Material"
reference = "https://attack.mitre.org/techniques/T1550/"
[[rule.threat.technique.subtechnique]]
id = "T1550.001"
name = "Application Access Token"
reference = "https://attack.mitre.org/techniques/T1550/001/"
[rule.threat.tactic]
id = "TA0005"
name = "Defense Evasion"
reference = "https://attack.mitre.org/tactics/TA0005/"