44 строки
1.6 KiB
YAML
44 строки
1.6 KiB
YAML
id: 86a036b2-3686-42eb-b417-909fc0867771
|
|
name: Azure Active Directory Hybrid Health AD FS Service Delete
|
|
description: |
|
|
'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
|
|
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
|
|
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
|
|
More information in this blog https://o365blog.com/post/hybridhealthagent/'
|
|
severity: Medium
|
|
requiredDataConnectors:
|
|
- connectorId: AzureActivity
|
|
dataTypes:
|
|
- AzureActivity
|
|
queryFrequency: 1d
|
|
queryPeriod: 1d
|
|
triggerOperator: gt
|
|
triggerThreshold: 0
|
|
tactics:
|
|
- DefenseEvasion
|
|
relevantTechniques:
|
|
- T1578.003
|
|
tags:
|
|
- SimuLand
|
|
query: |
|
|
AzureActivity
|
|
| where CategoryValue == 'Administrative'
|
|
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
|
|
| where _ResourceId contains 'AdFederationService'
|
|
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
|
|
| extend claimsJson = parse_json(Claims)
|
|
| extend AppId = tostring(claimsJson.appid)
|
|
| extend AccountName = tostring(claimsJson.name)
|
|
| project-away claimsJson
|
|
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
|
|
entityMappings:
|
|
- entityType: Account
|
|
fieldMappings:
|
|
- identifier: FullName
|
|
columnName: AccountCustomEntity
|
|
- entityType: IP
|
|
fieldMappings:
|
|
- identifier: Address
|
|
columnName: IPCustomEntity
|
|
version: 1.0.0
|
|
kind: Scheduled |