Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules

new: Anomalous User Activity
new: Activity From Anonymous IP Address
new: Atypical Travel
new: Impossible Travel
new: Suspicious Inbox Forwarding Identity Protection
new: Suspicious Inbox Manipulation Rules
new: Azure AD Account Credential Leaked
new: Sign-In From Malware Infected IP
new: New Country
new: Password Spray Activity
new: Suspicious Browser Activity
new: SAML Token Issuer Anomaly
new: Unfamiliar Sign-In Properties

---------

Co-authored-by: gleeiamglo <[email protected]>
Co-authored-by: Nasreddine Bencherchali <[email protected]>
Co-authored-by: phantinuss <[email protected]>

rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml

@@ -0,0 +1,22 @@
+title: Anomalous User Activity
+id: 258b6593-215d-4a26-a141-c8e31c1299a6
+status: experimental
+description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1098
+    - attack.persistence
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'anomalousUserActivity'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml

@@ -0,0 +1,25 @@
+title: Activity From Anonymous IP Address
+id: be4d9c86-d702-4030-b52e-c7859110e5e8
+status: experimental
+description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'riskyIPAddress'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml

@@ -0,0 +1,25 @@
+title: Atypical Travel
+id: 1a41023f-1e70-4026-921a-4d9341a9038e
+status: experimental
+description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'unlikelyTravel'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml

@@ -0,0 +1,25 @@
+title: Impossible Travel
+id: b2572bf9-e20a-4594-b528-40bde666525a
+status: experimental
+description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'impossibleTravel'
+    condition: selection
+falsepositives:
+    - Conneting to a VPN, performing activity and then dropping and performing addtional activity.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml

@@ -0,0 +1,22 @@
+title: Suspicious Inbox Forwarding Identity Protection
+id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d
+status: experimental
+description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1140
+    - attack.defense_evasion
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'suspiciousInboxForwarding'
+    condition: selection
+falsepositives:
+    - A legitmate forwarding rule.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml

@@ -0,0 +1,22 @@
+title: Suspicious Inbox Manipulation Rules
+id: ceb55fd0-726e-4656-bf4e-b585b7f7d572
+status: experimental
+description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1140
+    - attack.defense_evasion
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'mcasSuspiciousInboxManipulationRules'
+    condition: selection
+falsepositives:
+    - Actual mailbox rules that are moving items based on their workflow.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml

@@ -0,0 +1,22 @@
+title: Azure AD Account Credential Leaked 
+id: 19128e5e-4743-48dc-bd97-52e5775af817
+status: experimental
+description: Indicates that the user's valid credentials have been leaked.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1589
+    - attack.reconnaissance
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'leakedCredentials'
+    condition: selection
+falsepositives:
+    - A rare hash collision.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml

@@ -0,0 +1,22 @@
+title: Sign-In From Malware Infected IP
+id: 821b4dc3-1295-41e7-b157-39ab212dd6bd
+status: experimental
+description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1090
+    - attack.command_and_control
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'malwareInfectedIPAddress'
+    condition: selection
+falsepositives:
+    - Using an IP address that is shared by many users
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml

@@ -0,0 +1,25 @@
+title: New Country
+id: adf9f4d2-559e-4f5c-95be-c28dff0b1476
+status: experimental
+description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'newCountry'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml

@@ -0,0 +1,22 @@
+title: Password Spray Activity
+id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9
+status: experimental
+description: Indicates that a password spray attack has been successfully performed.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1110
+    - attack.credential_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'passwordSpray'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml

@@ -0,0 +1,25 @@
+title: Suspicious Browser Activity
+id: 944f6adb-7a99-4c69-80c1-b712579e93e6
+status: experimental
+description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'suspiciousBrowser'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml

@@ -0,0 +1,22 @@
+title: SAML Token Issuer Anomaly
+id: e3393cba-31f0-4207-831e-aef90ab17a8c
+status: experimental
+description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1606
+    - attack.credential_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'tokenIssuerAnomaly'
+    condition: selection
+falsepositives:
+    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
+level: high

rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml

@@ -0,0 +1,25 @@
+title: Unfamiliar Sign-In Properties
+id: 128faeef-79dd-44ca-b43c-a9e236a60f49
+status: experimental
+description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
+references:
+    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
+    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
+author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
+date: 2023/09/03
+tags:
+    - attack.t1078
+    - attack.persistence
+    - attack.defense_evasion
+    - attack.privilege_escalation
+    - attack.initial_access
+logsource:
+    product: azure
+    service: riskdetection
+detection:
+    selection:
+        riskEventType: 'unfamiliarFeatures'
+    condition: selection
+falsepositives:
+    - User changing to a new device, location, browser, etc.
+level: high