Azure
/
Azure-Sentinel
зеркало из
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

Update and rename NewKeyIdentifierAddedToOAuthApp.yaml to NewAppOrServicePrincipalCredential.yaml 

Minor changes:
* casted extracted variables tostring()s
* expanded logic to include all three (3) event types for both Applications and Service Principals - with an added filter
This commit is contained in:
Nick Carr 2020-11-30 22:42:31 -05:00 коммит произвёл GitHub
Родитель b742141cc2
Коммит d948763a88
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: 4AEE18F83AFDEB23
1 изменённых файлов: 13 добавлений и 12 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

25
Detections/AuditLogs/NewKeyIdentifierAddedToOAuthApp.yaml → Detections/AuditLogs/NewAppOrServicePrincipalCredential.yaml
Просмотреть файл

@ -1,9 +1,9 @@
id: 79566f41-df67-4e10-a703-c38a6213afd8
name: New access credential added to OAuth application
name: New access credential added to Application or Service Principal
description: |
'This will alert when an admin or app owner account adds a new credential to an OAuth Application.
'This will alert when an admin or app owner account adds a new credential to an Application or Service Principal.
If a threat actor obtains access to an account with sufficient privileges and adds the alternate authentication material triggering this event, the threat actor can now authenticate as the Application or Service Principal using this credential.
For further information on OAuth Client Credentials Grant see RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
Additional information on OAuth Credential Grants can be found in RFC 6749 Section 4.4 or https://docs.microsoft.com/azure/active-directory/develop/v2-oauth2-client-creds-grant-flow
For further information on AuditLogs please see https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities.'
severity: Medium
requiredDataConnectors:
@ -23,23 +23,24 @@ query: |
AuditLogs
| where TimeGenerated > ago(auditLookback)
| where OperationName has_any ("Add service principal", "Certificates and secrets management") // captures "Add service principal", "Add service principal credentials", and "Update application – Certificates and secrets management" events
| extend targetDisplayName = TargetResources[0].displayName
| extend targetId = TargetResources[0].id
| extend targetType = TargetResources[0].type
| extend targetDisplayName = tostring(TargetResources[0].displayName)
| extend targetId = tostring(TargetResources[0].id)
| extend targetType = tostring(TargetResources[0].type)
| extend keyEvents = TargetResources[0].modifiedProperties
| where keyEvents has "KeyIdentifier=" and keyEvents has "KeyUsage=Verify"
| where Result =~ "success"
| mv-expand keyEvents
| where keyEvents.displayName =~ "KeyDescription"
| parse keyEvents.newValue with * "KeyIdentifier=" keyIdentifier:string ",KeyType=" keyType:string ",KeyUsage=" keyUsage:string ",DisplayName=" keyDisplayName:string "]" *
| parse keyEvents.oldValue with * "KeyIdentifier=" keyIdentifierOld:string "," *
| parse keyEvents.oldValue with * "KeyIdentifier=" keyIdentifierOld:string ",KeyType" *
| where keyEvents.oldValue == "[]" or keyIdentifier != keyIdentifierOld
| where keyUsage == "Verify"
| extend UserAgent = iff(AdditionalDetails[0].key == "User-Agent",AdditionalDetails[0].value,"")
| extend InitiatingUser = iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName)
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress)
| extend UserAgent = iff(AdditionalDetails[0].key == "User-Agent",tostring(AdditionalDetails[0].value),"")
| extend InitiatingUser = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
| extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
//
// I've added the below filter for the less common OAuth application events; however, Azure Sentinel users can comment out the below line and include all Application and Service Principal events for their environment
| where targetType =~ "Application" // or targetType =~ "ServicePrincipal"
// The below line is currently commented out but Azure Sentinel users can modify this query to show only Application or only Service Principal events in their environment
//| where targetType =~ "Application" // or targetType =~ "ServicePrincipal"
| where InitiatingUser !in ("Managed Service Identity", "Device Registration Service")
| project-away keyEvents
| project-reorder TimeGenerated, OperationName, InitiatingUser, InitiatingIpAddress, UserAgent, targetDisplayName, targetId, targetType, keyDisplayName, keyType, keyUsage, keyIdentifier, CorrelationId, TenantId