From efe2c9bbcb1a84b549a56242b98b4fa9eeb9aff3 Mon Sep 17 00:00:00 2001 From: Mark Morowczynski Date: Wed, 6 Sep 2023 01:56:13 -0700 Subject: [PATCH] Merge PR #4423 from @MarkMorow - Add Azure AD Identity Protection Rules new: Anomalous User Activity new: Activity From Anonymous IP Address new: Atypical Travel new: Impossible Travel new: Suspicious Inbox Forwarding Identity Protection new: Suspicious Inbox Manipulation Rules new: Azure AD Account Credential Leaked new: Sign-In From Malware Infected IP new: New Country new: Password Spray Activity new: Suspicious Browser Activity new: SAML Token Issuer Anomaly new: Unfamiliar Sign-In Properties --------- Co-authored-by: gleeiamglo <142270304+gleeiamglo@users.noreply.github.com> Co-authored-by: Nasreddine Bencherchali <8741929+nasbench@users.noreply.github.com> Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com> --- ...e_identity_protection_anomalous_token.yml} | 0 ...ure_identity_protection_anomalous_user.yml | 22 ++++++++++++++++ ...ntity_protection_anonymous_ip_activity.yml | 25 +++++++++++++++++++ ...re_identity_protection_atypical_travel.yml | 25 +++++++++++++++++++ ..._identity_protection_impossible_travel.yml | 25 +++++++++++++++++++ ...ntity_protection_inbox_forwarding_rule.yml | 22 ++++++++++++++++ ...identity_protection_inbox_manipulation.yml | 22 ++++++++++++++++ ...identity_protection_leaked_credentials.yml | 22 ++++++++++++++++ ..._identity_protection_malware_linked_ip.yml | 22 ++++++++++++++++ ..._identity_protection_new_coutry_region.yml | 25 +++++++++++++++++++ ...ure_identity_protection_password_spray.yml | 22 ++++++++++++++++ ...identity_protection_suspicious_browser.yml | 25 +++++++++++++++++++ ...entity_protection_token_issuer_anomaly.yml | 22 ++++++++++++++++ ..._identity_protection_unfamilar_sign_in.yml | 25 +++++++++++++++++++ 14 files changed, 304 insertions(+) rename rules/cloud/azure/identity_protection/{azure_identity_protectection_anomalous_token.yml => azure_identity_protection_anomalous_token.yml} (100%) create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml create mode 100644 rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml diff --git a/rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml similarity index 100% rename from rules/cloud/azure/identity_protection/azure_identity_protectection_anomalous_token.yml rename to rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml new file mode 100644 index 00000000000..2ca44a9efd7 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_user.yml @@ -0,0 +1,22 @@ +title: Anomalous User Activity +id: 258b6593-215d-4a26-a141-c8e31c1299a6 +status: experimental +description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-user-activity + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1098 + - attack.persistence +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'anomalousUserActivity' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml new file mode 100644 index 00000000000..28dc4530378 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_activity.yml @@ -0,0 +1,25 @@ +title: Activity From Anonymous IP Address +id: be4d9c86-d702-4030-b52e-c7859110e5e8 +status: experimental +description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'riskyIPAddress' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml new file mode 100644 index 00000000000..3c5738586d1 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_atypical_travel.yml @@ -0,0 +1,25 @@ +title: Atypical Travel +id: 1a41023f-1e70-4026-921a-4d9341a9038e +status: experimental +description: Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#atypical-travel + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'unlikelyTravel' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml new file mode 100644 index 00000000000..311793419ff --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_impossible_travel.yml @@ -0,0 +1,25 @@ +title: Impossible Travel +id: b2572bf9-e20a-4594-b528-40bde666525a +status: experimental +description: Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#impossible-travel + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'impossibleTravel' + condition: selection +falsepositives: + - Conneting to a VPN, performing activity and then dropping and performing addtional activity. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml new file mode 100644 index 00000000000..4ab896a0715 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_forwarding_rule.yml @@ -0,0 +1,22 @@ +title: Suspicious Inbox Forwarding Identity Protection +id: 27e4f1d6-ae72-4ea0-8a67-77a73a289c3d +status: experimental +description: Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-forwarding + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1140 + - attack.defense_evasion +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'suspiciousInboxForwarding' + condition: selection +falsepositives: + - A legitmate forwarding rule. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml new file mode 100644 index 00000000000..5bc55b6679f --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_inbox_manipulation.yml @@ -0,0 +1,22 @@ +title: Suspicious Inbox Manipulation Rules +id: ceb55fd0-726e-4656-bf4e-b585b7f7d572 +status: experimental +description: Detects suspicious rules that delete or move messages or folders are set on a user's inbox. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-inbox-manipulation-rules + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1140 + - attack.defense_evasion +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'mcasSuspiciousInboxManipulationRules' + condition: selection +falsepositives: + - Actual mailbox rules that are moving items based on their workflow. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml new file mode 100644 index 00000000000..94d9179b92d --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml @@ -0,0 +1,22 @@ +title: Azure AD Account Credential Leaked +id: 19128e5e-4743-48dc-bd97-52e5775af817 +status: experimental +description: Indicates that the user's valid credentials have been leaked. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#leaked-credentials + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1589 + - attack.reconnaissance +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'leakedCredentials' + condition: selection +falsepositives: + - A rare hash collision. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml new file mode 100644 index 00000000000..7ed25642163 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml @@ -0,0 +1,22 @@ +title: Sign-In From Malware Infected IP +id: 821b4dc3-1295-41e7-b157-39ab212dd6bd +status: experimental +description: Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malware-linked-ip-address-deprecated + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1090 + - attack.command_and_control +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'malwareInfectedIPAddress' + condition: selection +falsepositives: + - Using an IP address that is shared by many users +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml new file mode 100644 index 00000000000..791d237e8d5 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml @@ -0,0 +1,25 @@ +title: New Country +id: adf9f4d2-559e-4f5c-95be-c28dff0b1476 +status: experimental +description: Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#new-country + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'newCountry' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml new file mode 100644 index 00000000000..a477ec6c32f --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_password_spray.yml @@ -0,0 +1,22 @@ +title: Password Spray Activity +id: 28ecba0a-c743-4690-ad29-9a8f6f25a6f9 +status: experimental +description: Indicates that a password spray attack has been successfully performed. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#password-spray + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1110 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'passwordSpray' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml new file mode 100644 index 00000000000..1d39a814acb --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_suspicious_browser.yml @@ -0,0 +1,25 @@ +title: Suspicious Browser Activity +id: 944f6adb-7a99-4c69-80c1-b712579e93e6 +status: experimental +description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#suspicious-browser + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'suspiciousBrowser' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml new file mode 100644 index 00000000000..38ca23aabd1 --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_token_issuer_anomaly.yml @@ -0,0 +1,22 @@ +title: SAML Token Issuer Anomaly +id: e3393cba-31f0-4207-831e-aef90ab17a8c +status: experimental +description: Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#token-issuer-anomaly + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1606 + - attack.credential_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'tokenIssuerAnomaly' + condition: selection +falsepositives: + - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. +level: high diff --git a/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml new file mode 100644 index 00000000000..d9dbd1c9c4d --- /dev/null +++ b/rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml @@ -0,0 +1,25 @@ +title: Unfamiliar Sign-In Properties +id: 128faeef-79dd-44ca-b43c-a9e236a60f49 +status: experimental +description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins. +references: + - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties + - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins +author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo' +date: 2023/09/03 +tags: + - attack.t1078 + - attack.persistence + - attack.defense_evasion + - attack.privilege_escalation + - attack.initial_access +logsource: + product: azure + service: riskdetection +detection: + selection: + riskEventType: 'unfamiliarFeatures' + condition: selection +falsepositives: + - User changing to a new device, location, browser, etc. +level: high