Azure Active Directory to Entra ID
This commit is contained in:
PrasadBoke
Родитель
18d491c708
Коммит
93a7dcfd31
|
|
@ -1,5 +1,5 @@
|
|||
id: e7b9ea73-1980-4318-96a6-da559486664b
|
||||
name: Modified domain federation trust settings
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/ADFSDomainTrustMods.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/ADFSDomainTrustMods.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 1116337d-c2dd-4e58-9e5b-afd6bfcb51c1
|
||||
name: Account created or deleted by non-approved user
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AccountCreatedDeletedByNonApprovedUser.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AccountCreatedDeletedByNonApprovedUser.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: dbba4298-45b2-4ded-887f-874632a701b4
|
||||
name: Account Created and Deleted in Short Timeframe
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AccountCreatedandDeletedinShortTimeframe.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AccountCreatedandDeletedinShortTimeframe.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: eff0c910-6a13-4bc1-b3c4-1b4b2d285e67
|
||||
name: Admin promotion after Role Management Application Permission Grant
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 396c2909-7489-4b87-95a9-1429ab40ad96
|
||||
name: Azure AD Role Management Permission Grant
|
||||
name: Microsoft Entra ID Role Management Permission Grant
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AzureADRoleManagementPermissionGrant.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AzureADRoleManagementPermissionGrant.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 15535fa9-4262-4e76-bbe7-792b57da9331
|
||||
name: Bulk Changes to Privileged Account Permissions
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/BulkChangestoPrivilegedAccountPermissions.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/BulkChangestoPrivilegedAccountPermissions.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: ffb7b057-a1de-4604-bee8-22518c0b8bb3
|
||||
name: Credential added after admin consented to Application
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/CredentialAddedAfterAdminConsent.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/CredentialAddedAfterAdminConsent.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
id: 4555b590-1983-4b09-8aca-ecbf5d885019
|
||||
name: Cross-tenant Access Settings Organization Added
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationAdded.yaml'
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
id: c2da132e-6c27-4f50-9e40-f684ca94e5b2
|
||||
name: Cross-tenant Access Settings Organization Deleted
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationDeleted.yaml'
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
id: d1b60e24-4f06-4bed-af66-275e13fe7182
|
||||
name: Cross-tenant Access Settings Organization Inbound Collaboration Settings Changed
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationInboundCollaborationSettingsChanged.yaml'
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
id: 637697be-2fc5-4c57-a7b0-ac79d181a7ab
|
||||
name: Cross-tenant Access Settings Organization Inbound Direct Settings Changed
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationInboundDirectSettingsChanged.yaml'
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
id: 7d44c4a7-f4a4-4f48-bd37-be333951a131
|
||||
name: Cross-tenant Access Settings Organization Outbound Collaboration Settings Changed
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationOutboundCollaborationSettingsChanged.yaml'
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,6 +1,6 @@
|
|||
id: d6de1625-8d18-44da-9991-fbdc607b7643
|
||||
name: Cross-tenant Access Settings Organization Outbound Direct Settings Changed
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Cross-tenantAccessSettingsOrganizationOutboundDirectSettingsChanged.yaml'
|
||||
version: 1.0.2
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: 902ec8be-b89c-45a9-bf40-28407c8a8428
|
||||
name: First access credential added to Application or Service Principal where no credential was present
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/FirstAppOrServicePrincipalCredential.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/FirstAppOrServicePrincipalCredential.yaml'
|
||||
version: 1.1.1
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
id: 4cc63b34-61ec-4043-ae2f-c1424bf303da
|
||||
name: Guest accounts added in AAD Groups other than the ones specified
|
||||
name: Guest accounts added in Entra ID Groups other than the ones specified
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/GuestAccountsAddedinAADGroupsOtherThanTheOnesSpecified.yaml'
|
||||
version: 1.0.3
|
||||
kind: Scheduled
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: 0b130033-bd5a-48c4-b606-84a8614ff3c0
|
||||
name: Mail.Read Permissions Granted to Application
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/MailPermissionsAddedToApplication.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MailPermissionsAddedToApplication.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: f13f3c0d-7e04-4de3-a737-f929871fb2b1
|
||||
name: Suspicious application consent similar to O365 Attack Toolkit
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/MaliciousOAuthApp_O365AttackToolkit.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MaliciousOAuthApp_O365AttackToolkit.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: e8f33204-9e18-4df0-8ff7-aeb35947c67d
|
||||
name: Suspicious application consent similar to PwnAuth
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/MaliciousOAuthApp_PwnAuth.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MaliciousOAuthApp_PwnAuth.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 0f670e09-32aa-4943-bf48-8855645d6af0
|
||||
name: Multiple admin membership removals from newly created admin.
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MultipleAdmin_membership_removals_from_NewAdmin.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: e7b9ea73-1980-4318-96a6-da559486664b
|
||||
name: NRT Modified domain federation trust settings
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_ADFSDomainTrustMods.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_ADFSDomainTrustMods.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
id: 7cfa479a-7026-4727-8f96-6e9826a42014
|
||||
name: NRT Authentication Methods Changed for VIP Users
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml'
|
||||
version: 1.0.2
|
||||
kind: NRT
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: a43ba78f-ba8d-4918-b578-257bf17bd096
|
||||
name: NRT New access credential added to Application or Service Principal
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_NewAppOrServicePrincipalCredential.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_NewAppOrServicePrincipalCredential.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: c199378e-51d8-4e55-9e30-426b0c7e1452
|
||||
name: NRT PIM Elevation Request Rejected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_PIMElevationRequestRejected.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_PIMElevationRequestRejected.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 7d237897-ac1b-4e59-b73e-f2f22c23a2bc
|
||||
name: NRT Privileged Role Assigned Outside PIM
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_PrivlegedRoleAssignedOutsidePIM.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 0124b561-b8d3-4043-b126-e2bb8904a61f
|
||||
name: NRT User added to Azure Active Directory Privileged Groups
|
||||
name: NRT User added to Microsoft Entra ID Privileged Groups
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_UseraddedtoPrivilgedGroups.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_UseraddedtoPrivilgedGroups.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 97faa5fe-b9a1-45f4-8981-8fd57a67a5e2
|
||||
name: New access credential added to Application or Service Principal
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NewAppOrServicePrincipalCredential.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NewAppOrServicePrincipalCredential.yaml'
|
||||
version: 1.1.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 852fd76e-ca5b-4889-93b1-0762f4f005a7
|
||||
name: PIM Elevation Request Rejected
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/PIMElevationRequestRejected.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/PIMElevationRequestRejected.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: d4cc3972-25a8-47a6-b1c7-70bbda67ee73
|
||||
name: Privileged Role Assigned Outside PIM
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/PrivlegedRoleAssignedOutsidePIM.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/PrivlegedRoleAssignedOutsidePIM.yaml'
|
||||
version: 1.0.3
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 81eaf5bf-3a30-4aa2-af0f-f8ef523e0f32
|
||||
name: Rare application consent
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/RareApplicationConsent.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/RareApplicationConsent.yaml'
|
||||
version: 1.1.2
|
||||
|
|
@ -2,7 +2,7 @@ id: 22a320c2-e1e5-4c74-a35b-39fc9cdcf859
|
|||
name: Suspicious linking of existing user to external User
|
||||
description: |
|
||||
' This query will detect when an attempt is made to update an existing user and link it to an guest or external identity. These activities are unusual and such linking of external
|
||||
identities should be investigated. In some cases you may see internal AAD sync accounts (Sync_) do this which may be benign'
|
||||
identities should be investigated. In some cases you may see internal Entra ID sync accounts (Sync_) do this which may be benign'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: e9b4f1f5-d8eb-4e0c-83ff-e5d75642cfad
|
||||
name: Suspicious application consent for offline access
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SuspiciousOAuthApp_OfflineAccess.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SuspiciousOAuthApp_OfflineAccess.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: f30361cb-373a-4bb7-93a0-7060572f82fb
|
||||
name: Suspicious Service Principal creation activity
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SuspiciousServicePrincipalcreationactivity.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SuspiciousServicePrincipalcreationactivity.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 8df409b7-fc2a-44ab-8d23-97674c58d5d9
|
||||
name: User Assigned Privileged Role
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/UserAssignedPrivilegedRole.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/UserAssignedPrivilegedRole.yaml'
|
||||
version: 1.0.3
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 9e89f397-7ced-4896-8006-1fea53bd0885
|
||||
name: User added to Azure Active Directory Privileged Groups
|
||||
name: User added to Microsoft Entra ID Privileged Groups
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/UseraddedtoPrivilgedGroups.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/UseraddedtoPrivilgedGroups.yaml'
|
||||
version: 1.0.3
|
||||
|
|
@ -1,6 +1,6 @@
|
|||
id: 5336c0fe-e897-4857-9254-728617941477
|
||||
name: NRT First access credential added to Application or Service Principal where no credential was present
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/nrt_FirstAppOrServicePrincipalCredential.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/nrt_FirstAppOrServicePrincipalCredential.yaml'
|
||||
version: 1.0.6
|
||||
kind: NRT
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 2438bfb0-4217-4b0c-917a-34566d11d3e8
|
||||
name: Azure Active Directory Hybrid Health AD FS New Server
|
||||
name: Microsoft Entra ID Hybrid Health AD FS New Server
|
||||
description: 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Activity/Analytic%20Rules/AADHybridHealthADFSNewServer.yaml'
|
||||
version: 2.0.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: e7af6711-6eb2-43bd-b9b8-4aa2193f5b54
|
||||
name: Azure Active Directory Hybrid Health AD FS Service Delete
|
||||
name: Microsoft Entra ID Hybrid Health AD FS Service Delete
|
||||
description: 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Activity/Analytic%20Rules/AADHybridHealthADFSServiceDelete.yaml'
|
||||
version: 2.0.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 49677316-622c-4935-a033-490a17b10d3f
|
||||
name: Azure Active Directory Hybrid Health AD FS Suspicious Application
|
||||
name: Microsoft Entra ID Hybrid Health AD FS Suspicious Application
|
||||
description: 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Activity/Analytic%20Rules/AADHybridHealthADFSSuspApp.yaml'
|
||||
version: 2.0.0
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: cbc96b1a-efd8-42b6-aeae-db9dbc555819
|
||||
name: NRT Azure Active Directory Hybrid Health AD FS New Server
|
||||
name: NRT Microsoft Entra ID Hybrid Health AD FS New Server
|
||||
description: 'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Activity/Analytic%20Rules/NRT-AADHybridHealthADFSNewServer.yaml'
|
||||
version: 2.0.0
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: 2cd8b3d5-c9e0-4be3-80f7-0469d511c3f6
|
||||
name: Suspicious Sign In by AAD Connect Sync Account
|
||||
name: Suspicious Sign In by Entra ID Connect Sync Account
|
||||
description: |
|
||||
'This query looks for sign ins by the Azure AD Connect Sync account to Azure where properties about the logon are anomalous.
|
||||
'This query looks for sign ins by the Microsoft Entra ID Connect Sync account to Azure where properties about the logon are anomalous.
|
||||
This query uses Microsoft Sentinel's UEBA features to detect these suspicious properties.
|
||||
A threat actor may attempt to steal the Sync account credentials and use them to access Azure resources. This alert should be
|
||||
reviewed to ensure that the log in came was from a legitimate source.'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 3755058f-8d97-4fca-b543-603d56c6fd30
|
||||
name: TEARDROP memory-only dropper - Migrated to new location
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/SolarWinds_TEARDROP_Process-IOCs.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/SolarWinds_TEARDROP_Process-IOCs.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 8ce98f23-4a0b-4efd-ab0f-a1d06fcc94f4
|
||||
name: SUNBURST and SUPERNOVA backdoor hashes
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/SolarWinds_SUNBURST_&_SUPERNOVA_File-IOCs.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 92dc16d9-efbd-4409-9f5d-54072d9e66b3
|
||||
name: SUNBURST network beacons
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/SolarWinds_SUNBURST_Network-IOCs.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/SolarWinds_SUNBURST_Network-IOCs.yaml'
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: 643c2025-9604-47c5-833f-7b4b9378a1f5
|
||||
name: Failed AzureAD logons but success logon to AWS Console
|
||||
description: |
|
||||
'Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Azure Active Directory.
|
||||
'Identifies a list of IP addresses with a minimum number (defualt of 5) of failed logon attempts to Microsoft Entra ID.
|
||||
Uses that list to identify any successful AWS Console logons from these IPs within the same timeframe.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: 8ee967a2-a645-4832-85f4-72b635bcb3a6
|
||||
name: Failed AzureAD logons but success logon to host
|
||||
description: |
|
||||
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Azure Active Directory.
|
||||
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to Microsoft Entra ID.
|
||||
Uses that list to identify any successful remote logons to hosts from these IPs within the same timeframe.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: ba144bf8-75b8-406f-9420-ed74397f9479
|
||||
name: IP with multiple failed Azure AD logins successfully logs in to Palo Alto VPN
|
||||
name: IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPN
|
||||
description: |
|
||||
This query creates a list of IP addresses with the number of failed login attempts to AAD
|
||||
This query creates a list of IP addresses with the number of failed login attempts to Entra ID
|
||||
above a set threshold ( default of 5 ). It then looks for any successful Palo Alto VPN logins from any
|
||||
of these IPs within the same timeframe.
|
||||
severity: Medium
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: 910124df-913c-47e3-a7cd-29e1643fa55e
|
|||
name: Failed AWS Console logons but success logon to AzureAD
|
||||
description: |
|
||||
'Identifies a list of IP addresses with a minimum number (default of 5) of failed logon attempts to AWS Console.
|
||||
Uses that list to identify any successful Azure Active Directory logons from these IPs within the same timeframe.'
|
||||
Uses that list to identify any successful Microsoft Entra ID logons from these IPs within the same timeframe.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: 649c81c2-0388-40ca-80b1-868d9df2ed9b
|
||||
name: Authentication Methods Changed for Privileged Account
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AuthenticationMethodsChangedforPrivilegedAccount.yaml'
|
||||
version: 1.0.6
|
||||
|
|
@ -2,7 +2,7 @@ id: 1ce5e766-26ab-4616-b7c8-3b33ae321e80
|
|||
name: Failed host logons but success logon to AzureAD
|
||||
description: |
|
||||
'Identifies a list of IP addresses with a minimum number(default of 5) of failed logon attempts to remote hosts.
|
||||
Uses that list to identify any successful logons to Azure Active Directory from these IPs within the same timeframe.'
|
||||
Uses that list to identify any successful logons to Microsoft Entra ID from these IPs within the same timeframe.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 30b19d44-fe51-4626-9444-1fd1cd5e2ac4
|
||||
name: Potential Build Process Compromise - MDE
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/PotentialBuildProcessCompromiseMDE.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/PotentialBuildProcessCompromiseMDE.yaml'
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 9458956f-1489-45f8-a0e0-f9eab679f225
|
||||
name: Privileged Accounts - Sign in Failure Spikes
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/PrivilegedAccountsSigninFailureSpikes.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/PrivilegedAccountsSigninFailureSpikes.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 113c5614-cfab-4a58-9f63-9e189cd1e01f
|
||||
name: SUNSPOT malware hashes
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/SUNSPOTHashes.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/SUNSPOTHashes.yaml'
|
||||
|
|
@ -1,8 +1,8 @@
|
|||
id: 157c0cfc-d76d-463b-8755-c781608cdc1a
|
||||
name: Cisco - firewall block but success logon to Azure AD
|
||||
name: Cisco - firewall block but success logon to Microsoft Entra ID
|
||||
description: |
|
||||
'Correlate IPs blocked by a Cisco firewall appliance with successful Azure Active Directory signins.
|
||||
Because the IP was blocked by the firewall, that same IP logging on successfully to AAD is potentially suspect
|
||||
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.
|
||||
Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect
|
||||
and could indicate credential compromise for the user account.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: 779731f7-8ba0-4198-8524-5701b7defddc
|
||||
name: M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity
|
||||
description: |
|
||||
'This content is employed to correlate with Microsoft 365 Defender phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.'
|
||||
'This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: OfficeATP
|
||||
|
|
|
|||
|
|
@ -2,7 +2,7 @@ id: 1cc0ba27-c5ca-411a-a779-fbc89e26be83
|
|||
name: Suspicious VM Instance Creation Activity Detected
|
||||
description: |
|
||||
'
|
||||
This detection identifies high-severity alerts across various Microsoft security products, including Microsoft 365 Defender and Azure Active Directory, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
|
||||
This detection identifies high-severity alerts across various Microsoft security products, including Microsoft Defender XDR and Microsoft Entra ID, and correlates them with instances of Google Cloud VM creation. It focuses on instances where VMs were created within a short timeframe of high-severity alerts, potentially indicating suspicious activity.
|
||||
'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: 04388176-79ac-4d52-87c0-ab597b33e9a7
|
||||
name: External guest invitation followed by Azure AD PowerShell signin
|
||||
name: External guest invitation followed by Microsoft Entra ID PowerShell signin
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/UnusualGuestActivity.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/UnusualGuestActivity.yaml'
|
||||
version: 1.0.6
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: f4a28082-2808-4783-9736-33c1ae117475
|
||||
name: High-Risk Cross-Cloud User Impersonation
|
||||
description: |
|
||||
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Azure AD Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
|
||||
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
- connectorId: AWS
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 3b446b66-acec-4cf8-9048-179eed4c81d5
|
||||
name: AV detections related to SpringShell Vulnerability
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/AVSpringShell.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/AVSpringShell.yaml'
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 8a20a6ab-da88-4634-b8a2-d026b7c940ff
|
||||
name: AV detections related to Tarrask malware
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/AVTarrask.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/AVTarrask.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: af6890bb-f364-4089-ab6a-2ec97ab8b46e
|
||||
name: AV detections related to Ukraine threats
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20365%20Defender/Analytic%20Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Defender%20XDRr/Analytic%20Rules/AVdetectionsrelatedtoUkrainebasedthreats.yaml'
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: fa6cfcf1-b267-46d4-b348-ae7870325507
|
||||
name: Correlate Unfamiliar sign-in properties and atypical travel alerts
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory%20Identity%20Protection/Analytic%20Rules/CorrelateIPC_Unfamiliar-Atypical.yaml'
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID%20Identity%20Protection/Analytic%20Rules/CorrelateIPC_Unfamiliar-Atypical.yaml'
|
||||
version: 1.0.3
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: 1f3b4dfd-21ff-4ed3-8e27-afc219e05c50
|
||||
name: Detect PIM Alert Disabling activity
|
||||
description: |
|
||||
'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Azure Active Directory (Azure AD) organization.
|
||||
'Privileged Identity Management (PIM) generates alerts when there is suspicious or unsafe activity in Microsoft Entra ID (Azure AD) organization.
|
||||
This query will help detect attackers attempts to disable in product PIM alerts which are associated with Azure MFA requirements and could indicate activation of privileged access'
|
||||
severity: Medium
|
||||
requiredDataConnectors:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: f819c592-c5f9-4d5c-a79f-1e6819863533
|
||||
name: Azure AD Health Monitoring Agent Registry Keys Access
|
||||
name: Microsoft Entra ID Health Monitoring Agent Registry Keys Access
|
||||
description: |
|
||||
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Azure AD Health monitoring agent.
|
||||
'This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent.
|
||||
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent.
|
||||
You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
|
||||
'
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: 06bbf969-fcbe-43fa-bac2-b2fa131d113a
|
||||
name: Azure AD Health Service Agents Registry Keys Access
|
||||
name: Microsoft Entra ID Health Service Agents Registry Keys Access
|
||||
description: |
|
||||
'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Azure AD Health service agents (e.g AD FS).
|
||||
'This detection uses Windows security events to detect suspicious access attempts to the registry key values and sub-keys of Microsoft Entra ID Health service agents (e.g AD FS).
|
||||
Information from AD Health service agents can be used to potentially abuse some of the features provided by those services in the cloud (e.g. Federation).
|
||||
This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object: HKLM:\SOFTWARE\Microsoft\ADHealthAgent.
|
||||
Make sure you set the SACL to propagate to its sub-keys. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_service_agent.yml
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: e6e43b3a-6fee-4c9d-9403-10a28b7078ab
|
||||
name: AAD Local Device Join Information and Transport Key Registry Keys Access
|
||||
name: Entra ID Local Device Join Information and Transport Key Registry Keys Access
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Windows%20Security%20Events/Analytic%20Rules/LocalDeviceJoinInfoAndTransportKeyRegKeysAccess.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 7820558f-caae-4436-9f98-a51cde2d6154
|
||||
name: Password spray attack against ADFSSignInLogs
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/ADFSSignInLogsPasswordSpray.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/ADFSSignInLogsPasswordSpray.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 0269c54a-8ec8-4f92-8948-da4c9fe6521f
|
||||
name: Anomalous sign-in location by user account and authenticating application
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml'
|
||||
version: 1.0.1
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: 00000003-0000-0000-c000-000000000000
|
||||
name: Azure Active Directory PowerShell accessing non-AAD resources
|
||||
name: Microsoft Entra ID PowerShell accessing non-Entra ID resources
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AzureAADPowerShellAnomaly.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AzureAADPowerShellAnomaly.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 71D86715-5596-4529-9B13-DA13A5DE5B63
|
||||
name: Azure Portal Signin from another Azure Tenant
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AzurePortalSigninfromanotherAzureTenant.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/AzurePortalSigninfromanotherAzureTenant.yaml'
|
||||
version: 1.3.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 0f872637-8817-44a0-bb9d-ceab3dbd4ecd
|
||||
name: Brute Force Attack against GitHub Account
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Brute%20Force%20Attack%20against%20GitHub%20Account.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 01cc337d-a5e6-4a0f-b65d-6908cdbb8166
|
||||
name: Brute force attack against a Cloud PC
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/BruteForceCloudPC.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/BruteForceCloudPC.yaml'
|
||||
version: 1.0.1
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: e59d1916-19b2-4ddb-a6f7-dc6c4a252e30
|
||||
name: Attempt to bypass conditional access rule in Azure AD
|
||||
name: Attempt to bypass conditional access rule in Microsoft Entra ID
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/BypassCondAccessRule.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/BypassCondAccessRule.yaml'
|
||||
version: 1.0.3
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: de67574e-790f-44a6-9ca0-92ebfa48817f
|
||||
name: Attempts to sign in to disabled accounts
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/DisabledAccountSigninsAcrossManyApplications.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/DisabledAccountSigninsAcrossManyApplications.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 87459d4d-6d12-4730-ba17-1a017fdb2774
|
||||
name: Distributed Password cracking attempts in AzureAD
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/DistribPassCrackAttempt.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/DistribPassCrackAttempt.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 4bcf5724-c348-4f89-999a-f937f2246020
|
||||
name: Explicit MFA Deny
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/ExplicitMFADeny.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/ExplicitMFADeny.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 149c628b-7ae8-421a-9ef9-76d30d57d7a5
|
||||
name: Failed login attempts to Azure Portal
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/FailedLogonToAzurePortal.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/FailedLogonToAzurePortal.yaml'
|
||||
version: 1.0.3
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: f8100782-cb35-466b-831a-72ef4c53edfd
|
||||
name: MFA Rejected by User
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/MFARejectedbyUser.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/MFARejectedbyUser.yaml'
|
||||
version: 1.0.4
|
||||
|
|
|
|||
|
|
@ -1,5 +1,5 @@
|
|||
id: f33e8879-bd6e-4313-9ffc-f3d43c74c41e
|
||||
name: NRT MFA Rejected by User
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/NRT_MFARejectedbyUser.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/NRT_MFARejectedbyUser.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 15022eca-c933-4c3b-9e25-650c915df33c
|
||||
name: Password spray attack against Azure AD Seamless SSO
|
||||
name: Password spray attack against Microsoft Entra ID Seamless SSO
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SeamlessSSOPasswordSpray.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SeamlessSSOPasswordSpray.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 9657ec20-e013-4cc5-bd45-a3d79dd38558
|
||||
name: GitHub Signin Burst from Multiple Locations
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/Sign-in%20Burst%20from%20Multiple%20 Locations.yaml'
|
||||
'As part of content migration, this file is moved to new location. you can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/Sign-in%20Burst%20from%20Multiple%20 Locations.yaml'
|
||||
version: 1.0.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 5dab366d-efcb-422f-8b63-f91d688d8f28
|
||||
name: Sign-ins from IPs that attempt sign-ins to disabled accounts
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SigninAttemptsByIPviaDisabledAccounts.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SigninAttemptsByIPviaDisabledAccounts.yaml'
|
||||
version: 1.1.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: fbc7167c-c6c9-4689-932a-affe3123de87
|
||||
name: Brute force attack against Azure Portal
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SigninBruteForce-AzurePortal.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SigninBruteForce-AzurePortal.yaml'
|
||||
version: 2.1.0
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 67bf9e2f-5454-4a95-95ae-28930915eb24
|
||||
name: Password spray attack against Azure AD application
|
||||
name: Password spray attack against Microsoft Entra ID application
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SigninPasswordSpray.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SigninPasswordSpray.yaml'
|
||||
version: 1.0.2
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: f37ad409-e70d-4852-8996-7e0726015620
|
||||
name: Successful logon from IP and failure from a different IP
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/SuccessThenFail_DiffIP_SameUserandApp.yaml'
|
||||
version: 1.1.1
|
||||
|
|
@ -1,5 +1,5 @@
|
|||
id: 0a148944-dbbb-454f-a032-48ef02d0a0d7
|
||||
name: User Accounts - Sign in Failure due to CA Spikes
|
||||
description: |
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/UserAccounts-CABlockedSigninSpikes.yaml'
|
||||
'As part of content migration, this file is moved to a new location. You can find it here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft%20Entra%20ID/Analytic%20Rules/UserAccounts-CABlockedSigninSpikes.yaml'
|
||||
version: 1.0.1
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: 9b4a1f38-2fae-44dd-9e85-685a2e4b9bb5
|
||||
name: Users Authenticating to Other Azure AD Tenants
|
||||
name: Users Authenticating to Other Microsoft Entra ID Tenants
|
||||
description: |
|
||||
'Detects when a user has successfully authenticated to another Azure AD tenant with an identity in your organization's tenant.
|
||||
'Detects when a user has successfully authenticated to another Microsoft Entra ID tenant with an identity in your organization's tenant.
|
||||
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectory
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: db57233e-c058-4a5b-b609-ebe96c336e63
|
||||
name: Azure DevOps- AAD Conditional Access Disabled
|
||||
name: Azure DevOps- Entra ID Conditional Access Disabled
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/AzureDevOpsAuditing/Analytic%20Rules/AAD%Conditional%Access%Disabled.yaml'
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: c7f03700-8bbe-4838-9e78-4852ef21609b
|
||||
name: Storage File Seen on Endpoint
|
||||
description: |
|
||||
'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft 365 Defender.'
|
||||
'Finds instances where a file uploaded to blob or file storage and it is seen on an endpoint by Microsoft Defender XDR.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -1,4 +1,4 @@
|
|||
id: 078a6526-e94e-4cf1-a08e-83bc0186479f
|
||||
name: Anomalous AAD Account Manipulation
|
||||
name: Anomalous Entra ID Account Manipulation
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here https://githubusercontent.com/Azure/Azure-Sentinel/blob/master/Solutions/UEBA%20Essentials/Hunting%20Queries/Anomalous%20AAD%20Account%20Manipulation.yaml'
|
||||
|
|
@ -1,4 +1,4 @@
|
|||
id: 6a497dfd-f4a5-4a60-949a-10ce6f505d3e
|
||||
name: Anomalous AAD Account Creation
|
||||
name: Anomalous Entra ID Account Creation
|
||||
description: |
|
||||
'As part of content migration, this file is moved to new location. You can find here https://githubusercontent.com/Azure/Azure-Sentinel/blob/master/Solutions/UEBA%20Essentials/Hunting%20Queries/Anomalous%20Account%20Creation.yaml'
|
||||
|
|
@ -1,7 +1,7 @@
|
|||
id: f5e4d3c2-b1a0-4f9d-8e7c-6b5a4d3e2c1f
|
||||
name: AAD group adds in the last 7 days
|
||||
name: Entra ID group adds in the last 7 days
|
||||
description: |
|
||||
This query looks for AAD group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
|
||||
This query looks for Entra ID group adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: d7f6e5c4-b3a2-4e9f-8d7c-6a5b4c3d2e1f
|
||||
name: AAD role adds in the last 7 days
|
||||
name: Entra ID role adds in the last 7 days
|
||||
description: |
|
||||
This query looks for AAD role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
|
||||
This query looks for Entra ID role adds identified by Microsoft Defender for Cloud Apps. It will require an corresponding app connector in Microsoft Defender for Cloud Apps.
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
dataTypes:
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: c561bf69-6a6c-4d0a-960a-b69e0e7c8f51
|
||||
name: EncodedDomainURL [Nobelium]
|
||||
description: |
|
||||
Looks for a logon domain in the Azure AD logs, encoded with the same DGA encoding used in the Nobelium campaign.
|
||||
Looks for a logon domain in the Microsoft Entra ID logs, encoded with the same DGA encoding used in the Nobelium campaign.
|
||||
See Important steps for customers to protect themselves from recent nation-state cyberattacks for more on the Nobelium campaign (formerly known as Solorigate).
|
||||
This query is inspired by an Azure Sentinel detection.
|
||||
References:
|
||||
|
|
|
|||
|
|
@ -6,7 +6,7 @@ description: |
|
|||
The actor, Nobelium, was observed modifying domain trust settings to subvert existing mechanisms and cause the domain to accept authorization tokens signed with actor-owned certificates. See Customer Guidance on Recent Nation-State Cyber Attacks.
|
||||
To understand why an authorized user may update settings for a federated domain in Office 365, Azure, or Intune, see Update or repair the settings of a federated domain in Office 365, Azure, or Intune.
|
||||
For details on security realms that accept security tokens, see the ADFS Proxy Protocol (MS-ADFSPP) specification: 3.2.5.1.2.4 Security Realm Data.
|
||||
For further information on AuditLogs, please see Azure AD audit activity reference.
|
||||
For further information on AuditLogs, please see Microsoft Entra ID audit activity reference.
|
||||
This query is inspired by an Azure Sentinal detection.
|
||||
References:
|
||||
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
|
||||
|
|
|
|||
|
|
@ -5,7 +5,7 @@ description: |
|
|||
The Microsoft Defender for Endpoint sensor is one of the processes the malware attempts to disable.
|
||||
Microsoft Defender for Endpoint has built-in protections against many techniques attackers use to disable endpoint sensors ranging from hardened OS protection, anti-tampering policies, and detections for a variety of tampering attempts, including "Attempt to stop Microsoft Defender for Endpoint sensor", "Tampering with Microsoft Defender for Endpoint sensor settings", or "Possible sensor tampering in memory".
|
||||
Successfully disabling Microsoft Defender for Endpoint can prevent the system from reporting observed activities.
|
||||
However, the multitude of signals reported into Microsoft 365 Defender provides a unique opportunity to hunt for systems where the tampering technique used might have been successful.
|
||||
However, the multitude of signals reported into Microsoft Defender XDR provides a unique opportunity to hunt for systems where the tampering technique used might have been successful.
|
||||
The following advanced hunting query can be used to locate devices that should be reporting but aren't:
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: 634dfbd6-0a42-40da-854e-2161cf137f14
|
||||
name: UpdateStsRefreshToken[Solorigate]
|
||||
description: |
|
||||
This will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identification and obtain access tokens. This event is most often generated when legitimate administrators troubleshoot frequent AAD user sign-ins but may also be generated as a result of malicious token extensions. Confirm that the activity is related to an administrator legitimately modifying STS refresh tokens and check the new token validation time period for high values.
|
||||
This will show Active Directory Security Token Service (STS) refresh token modifications by Service Principals and Applications other than DirectorySync. Refresh tokens are used to validate identification and obtain access tokens. This event is most often generated when legitimate administrators troubleshoot frequent Entra ID user sign-ins but may also be generated as a result of malicious token extensions. Confirm that the activity is related to an administrator legitimately modifying STS refresh tokens and check the new token validation time period for high values.
|
||||
Query insprired by Azure Sentinel detection https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/StsRefreshTokenModification.yaml
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: 67c763f7-c4fd-4b0f-9d4b-19246d1ec6d7
|
||||
name: MailItemsAccessed Throttling [Nobelium]
|
||||
description: |
|
||||
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft 365 Defender. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 365 or Microsoft 365 E5 license, or for organizations with a Microsoft 365 E5 Compliance add-on subscription.
|
||||
The MailItemsAccessed action is part of the new Advanced Audit functionality of Microsoft Defender XDR. It's part of Exchange mailbox auditing and is enabled by default for users that have an Office 365 or Microsoft 365 E5 license, or for organizations with a Microsoft 365 E5 Compliance add-on subscription.
|
||||
If more than 1,000 MailItemsAccessed audit records are generated in less than 24 hours, Exchange Online will stop generating auditing records for MailItemsAccessed activity. When a mailbox is throttled, MailItemsAccessed activity will not be logged for 24 hours after the mailbox was throttled. If this occurs, there's a potential that mailbox could have been compromised during this period. The recording of MailItemsAccessed activity will be resumed following a 24-hour period.
|
||||
The query is looking for MailItemsAccessed Throttling events where the operation is done by a ClientApplication.
|
||||
See The MailItemsAccessed mailbox auditing action.
|
||||
|
|
|
|||
|
|
@ -1,7 +1,7 @@
|
|||
id: 959f8d6a-53b8-488f-a628-999b3410702e
|
||||
name: SuspiciousUrlClicked
|
||||
description: |
|
||||
This query correlates Microsoft Defender for Office 365 signals and Azure Active Directory (Azure AD) identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP.
|
||||
This query correlates Microsoft Defender for Office 365 signals and Microsoft Entra ID identity data to find the relevant endpoint event BrowerLaunchedToOpen in Microsoft Defender ATP.
|
||||
This event reflects relevant clicks on the malicious URL in the spear-phishing email recognized by Microsoft Defender for Office 365.
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
|
|
|
|||
|
|
@ -3,7 +3,7 @@ name: jar-attachments
|
|||
description: |
|
||||
This query was originally published in the threat analytics report, Adwind utilizes Java for cross-platform impact.
|
||||
Adwind is a remote access tool (RAT) that takes advantage of the cross-platform capabilities of the Java framework. It can check which operating system a target is running and adapt accordingly, allowing it to successfully compromise both Windows and macOS devices.
|
||||
The query below must be run in Microsoft 365 Defender. This query detects events where a single Java archive, or JAR file, was attached to an incoming email. Since Adwind is distributed as a JAR file, this can help detect the initial access stage of a Adwind attack. Note that, although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar techniques. Also note that JAR attachments are not necessarily or even often malware, and that further research will be needed to determine if query results are associated with malicious behavior.
|
||||
The query below must be run in Microsoft Defender XDR. This query detects events where a single Java archive, or JAR file, was attached to an incoming email. Since Adwind is distributed as a JAR file, this can help detect the initial access stage of a Adwind attack. Note that, although the behavior detected by this query is typical of attacks that use Adwind malware, unrelated attacks may use the same or similar techniques. Also note that JAR attachments are not necessarily or even often malware, and that further research will be needed to determine if query results are associated with malicious behavior.
|
||||
See Hiding a Java class file for an additional query that detects behavior associated with Adwind attacks.
|
||||
requiredDataConnectors:
|
||||
- connectorId: MicrosoftThreatProtection
|
||||
|
|
|
|||
|
|
@ -4,8 +4,8 @@ description: |
|
|||
This query will find when a new credential is added to an application or service principal.
|
||||
The Nobelium activity group was able to gain sufficient access to add credentials to existing applications with mail read permissions. They used that access to exfiltrate email.
|
||||
See Customer Guidance on Recent Nation-State Cyber Attacks for more on the Nobelium campaign (formerly known as Solorigate).
|
||||
Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or Azure AD audit activity reference.
|
||||
For further information on AuditLogs please see Azure AD audit activity reference.
|
||||
Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or Microsoft Entra ID audit activity reference.
|
||||
For further information on AuditLogs please see Microsoft Entra ID audit activity reference.
|
||||
This query was inspired by an Azure Sentinel detection.
|
||||
References:
|
||||
https://msrc-blog.microsoft.com/2020/12/13/customer-guidance-on-recent-nation-state-cyber-attacks/
|
||||
|
|
|
|||
Некоторые файлы не были показаны из-за слишком большого количества измененных файлов Показать больше
Загрузка…
Ссылка в новой задаче