Forge
New repositoryImport repositoryNew issue
Your repositories Your dashboard Sign in

cloudflare/Azure-Sentinel

Public

mirrored fromhttps://github.com/cloudflare/Azure-Sentinel

Watch0Fork0Star0
CodeCommitsIssuesPull requestsActionsInsightsSecurity
ca6fcec7a8a8fbd3724107dc9de4af27eef17555

Branches

Tags

  • No tags available.
0Branches0Tags
Go to file
Add file
Code

Clone

HTTPS

Download ZIP

Azure-Sentinel/Detections/AuditLogs

Detections/AuditLogs/ApplicationRedirectURLUpdate.yaml

62lines · modepreview

RawDownload
Added new detections and hunting queries for the AAD Sec Ops Guide Removed URL localization from queries Repleaced incorrect 'scheduled' with 'Scheduled'9bcef98
3 years ago
id: a1080fc1-13d1-479b-8340-255f0290d96c
name: Application Redirect URL Update
description: |
  'Detects the redirect URL of an app being changed.
    Applications associated with URLs not controlled by the organization can pose a security risk.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-applications#application-configuration-changes'
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - Persistence
  - PrivilegeEscalation
relevantTechniques:
  - T1078.004
tags:
  - AADSecOpsGuide
query: |
  AuditLogs
    | where Category =~ "ApplicationManagement"
    | where Result =~ "success"
    | where OperationName =~ 'Update Application'
    | mv-expand TargetResources
    | mv-expand TargetResources.modifiedProperties
    | where TargetResources_modifiedProperties.displayName =~ "AppAddress"
    | extend Key = tostring(TargetResources_modifiedProperties.displayName)
    | extend NewValue = TargetResources_modifiedProperties.newValue
    | extend OldValue = TargetResources_modifiedProperties.oldValue
    | where isnotempty(Key) and isnotempty(NewValue)
    | project-reorder Key, NewValue, OldValue
    | extend NewUrls = extract_all('"Address":([^,]*)', tostring(NewValue))
    | extend OldUrls = extract_all('"Address":([^,]*)', tostring(OldValue))
    | extend AddedUrls = set_difference(NewUrls, OldUrls)
    | where array_length(AddedUrls) > 0
    | extend UserAgent = iif(tostring(AdditionalDetails[0].key) == "User-Agent", tostring(AdditionalDetails[0].value), "")
    | extend AddingUser = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName), "")
    | extend AddingApp = iif(isnotempty(tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName)) , tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalName), "")
    | extend AddedBy = iif(isnotempty(AddingUser), AddingUser, AddingApp)
    | project-away AddingApp, AddingUser
    | extend AppDisplayName = tostring(TargetResources.displayName)
    | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
    | project-reorder TimeGenerated, AppDisplayName, AddedUrls, AddedBy, UserAgent, ipAddress
entityMappings:
  - entityType: URL
    fieldMappings:
      - identifier: Url
        columnName: AddedUrls
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AddedBy
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: ipAddress
version: 1.0.0
kind: Scheduled