Upd Tactics/Techniques, combined hunting folder
This commit is contained in:
Родитель
7f6607ed7f
Коммит
d7e77b4a33
|
@ -6,27 +6,22 @@ requiredDataConnectors:
|
|||
- connectorId: AzureMonitor
|
||||
dataTypes:
|
||||
- AzureDevOpsAuditing
|
||||
severity: High
|
||||
severity: Medium
|
||||
queryFrequency: 4h
|
||||
queryPeriod: 4h
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Persistence
|
||||
- PrivilegeEscalation
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
query: |
|
||||
|
||||
let timeframe = 4h;
|
||||
// Change to true to monitor for Project Administrator adds to *any* project
|
||||
let MontiorAllProjects = false;
|
||||
let MonitorAllProjects = false;
|
||||
// If MonitorAllProjects is false, trigger only on Project Administrator add for the following projects
|
||||
let ProjectsToMonitor = datatable(ProjectName:string)
|
||||
[
|
||||
'ProjectA',
|
||||
'ProjectC'
|
||||
];
|
||||
let ProjectsToMonitor = dynamic(['<project_X>','<project_Y>']);
|
||||
AzureDevOpsAuditing
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| where Area == "Group" and OperationName == "Group.UpdateGroupMembership.Add"
|
||||
|
@ -35,7 +30,7 @@ query: |
|
|||
| parse Details with AddedIdentity ' was added as a member of group [' EntityName ']\\' GroupName
|
||||
| extend Level = iif(GroupName == 'Project Collection Administrators', 'Organization', 'Project'), AddedIdentityId = Data.MemberId
|
||||
| extend Severity = iif(Level == 'Organization', 'High', 'Medium'), AlertDetails = strcat('At ', TimeGenerated, ' UTC ', ActorUPN, '/', ActorDisplayName, ' added ', AddedIdentity, ' to the ', EntityName, ' ', Level)
|
||||
| where (MontiorAllProjects == true or EntityName in (ProjectsToMonitor)) or Level == 'Organization'
|
||||
| where MonitorAllProjects == true or EntityName in (ProjectsToMonitor) or Level == 'Organization'
|
||||
| project TimeGenerated, Severity, Adder = ActorUPN, AddedIdentity, AddedIdentityId, AlertDetails, Level, EntityName, GroupName, ActorAuthType = AuthenticationMechanism,
|
||||
ActorIpAddress = IpAddress, ActorUserAgent = UserAgent, RawDetails = Details
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = Adder, IPCustomEntity = ActorIpAddress
|
|
@ -12,9 +12,7 @@ queryPeriod: 14d
|
|||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Execution
|
||||
- Impact
|
||||
- PrivilegeEscalation
|
||||
- Persistence
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
query: |
|
||||
|
@ -22,7 +20,7 @@ query: |
|
|||
let starttime = 14d;
|
||||
let endtime = 3h;
|
||||
// Add full UPN (user@domain.com) to Authorized Bypassers to ignore policy bypasses by certain authorized users
|
||||
let AuthorizedBypassers = datatable(UPN:string)['foo@baz.com', 'test@foo.com'];
|
||||
let AuthorizedBypassers = dynamic(['foo@baz.com', 'test@foo.com']);
|
||||
let historicBypassers = AzureDevOpsAuditing
|
||||
| where TimeGenerated between (ago(starttime) .. ago(endtime))
|
||||
| where OperationName == 'Git.RefUpdatePoliciesBypassed'
|
|
@ -7,19 +7,17 @@ requiredDataConnectors:
|
|||
- connectorId: AzureMonitor
|
||||
dataTypes:
|
||||
- AzureDevOpsAuditing
|
||||
severity: High
|
||||
severity: Medium
|
||||
queryFrequency: 6h
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Execution
|
||||
- Persistence
|
||||
- Impact
|
||||
- PrivilegeEscalation
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1527
|
||||
- T1003
|
||||
- T1496
|
||||
query: |
|
||||
|
||||
let starttime = 14d;
|
|
@ -1,7 +1,8 @@
|
|||
id: ac891683-53c3-4f86-86b4-c361708e2b2b
|
||||
name: Azure DevOps Personal Access Token (PAT) misuse
|
||||
description: |
|
||||
'Description: This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require Allowlisting and baselining.
|
||||
'This Alert detects whenever a PAT is used in ways that PATs are not normally used. May require Allowlisting and baselining.
|
||||
Reference - https://docs.microsoft.com/azure/devops/organizations/accounts/use-personal-access-tokens-to-authenticate?view=azure-devops&tabs=preview-page
|
||||
Use this query for baselining:
|
||||
AzureDevOpsAuditing
|
||||
| distinct OperationName'
|
||||
|
@ -19,6 +20,7 @@ tactics:
|
|||
- Impact
|
||||
relevantTechniques:
|
||||
- T1528
|
||||
- T1496
|
||||
query: |
|
||||
|
||||
let timeframe = 3d;
|
|
@ -1,24 +1,24 @@
|
|||
id: d564ff12-8f53-41b8-8649-44f76b37b99f
|
||||
name: Azure DevOps Service Conection Abuse
|
||||
description: |
|
||||
'This detection flags builds/releases that use a large number of service connections if they aren't manually allowlisted.
|
||||
This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse or dump credentials from service connections.'
|
||||
'Flags builds/releases that use a large number of service connections if they aren't manually allowlisted.
|
||||
This is to determine if someone is hijacking a build/release and adding many service connections in order to abuse
|
||||
or dump credentials from service connections.'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureMonitor
|
||||
dataTypes:
|
||||
- AzureDevOpsAuditing
|
||||
severity: High
|
||||
severity: Medium
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 14d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- Execution
|
||||
- Persistence
|
||||
- Impact
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1527
|
||||
- T1003
|
||||
- T1496
|
||||
query: |
|
||||
|
||||
let timeframe = 14d;
|
|
@ -1,23 +0,0 @@
|
|||
id: cf0c493b-a8af-4b32-8c7e-d4303f3a406f
|
||||
name: Azure DevOps Display Name Changes
|
||||
description: |
|
||||
'Description: Shows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureMonitor
|
||||
dataTypes:
|
||||
- AzureDevOpsAuditing
|
||||
tactics:
|
||||
- Evasion
|
||||
- PrivilegeEscalation
|
||||
- Social
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1036
|
||||
query: |
|
||||
|
||||
let timeframe = 14d;
|
||||
AzureDevOpsAuditing
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
| where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != "Azure DevOps User"
|
||||
| summarize dcount(ActorDisplayName), make_set(ActorDisplayName) by ActorCUID
|
||||
| where dcount_ActorDisplayName > 1;
|
|
@ -0,0 +1,23 @@
|
|||
id: cf0c493b-a8af-4b32-8c7e-d4303f3a406f
|
||||
name: Azure DevOps Display Name Changes
|
||||
description: |
|
||||
'Shows all users with more than 1 display name in recent history. This is to hunt for users maliciously changing their display name as a masquerading technique'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureMonitor
|
||||
dataTypes:
|
||||
- AzureDevOpsAuditing
|
||||
tactics:
|
||||
- Persistence
|
||||
- DefenseEvasion
|
||||
relevantTechniques:
|
||||
- T1098
|
||||
- T1036
|
||||
query: |
|
||||
|
||||
let timeframe = 14d;
|
||||
AzureDevOpsAuditing
|
||||
| where TimeGenerated > ago(timeframe)
|
||||
| where ActorCUID != '00000000-0000-0000-0000-000000000000' and ActorDisplayName != "Azure DevOps User"
|
||||
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), DisplayNameCount = dcount(ActorDisplayName), ActorDisplayNames = make_set(ActorDisplayName), make_set(IpAddress), make_set(ProjectName) by ActorCUID, ActorUPN
|
||||
| where DisplayNameCount > 1
|
||||
| extend timestamp = StartTime, AccountCustomEntity = ActorUPN
|
|
@ -1,7 +1,7 @@
|
|||
id: df205daf-fcf3-4b95-a7fd-043b70f6c209
|
||||
name: Azure DevOps Pull Request Policy Bypassing
|
||||
description: |
|
||||
'Description: Looks for users bypassing Update Policies in repos'
|
||||
'Looks for users bypassing Update Policies in repos'
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureMonitor
|
||||
dataTypes:
|
||||
|
@ -12,6 +12,8 @@ relevantTechniques:
|
|||
- T1098
|
||||
query: |
|
||||
|
||||
let timeframe = 7d;
|
||||
AzureDevOpsAuditing
|
||||
| where
|
||||
OperationName == 'Git.RefUpdatePoliciesBypassed'
|
||||
| where TimeGenerated >= ago(timeframe)
|
||||
| where OperationName == 'Git.RefUpdatePoliciesBypassed'
|
||||
| extend timestamp = TimeGenerated, AccountCustomEntity = ActorUPN, IPCustomEntity = IpAddress
|
Загрузка…
Ссылка в новой задаче