cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/SigninLogs/AzureAADPowerShellAnomaly.yaml
52lines · modecode
unknown
| 1 | id: 50574fac-f8d1-4395-81c7-78a463ff0c52 |
| 2 | name: Azure Active Directory PowerShell accessing non-AAD resources |
| 3 | description: | |
| 4 | 'This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior. |
| 5 | For capabilities and expected behavior of the Azure Active Directory PowerShell module, see: https://docs.microsoft.com/powershell/module/azuread/?view=azureadps-2.0. |
| 6 | For further information on Azure Active Directory Signin activity reports, see: https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins.' |
| 7 | severity: Low |
| 8 | requiredDataConnectors: |
| 9 | - connectorId: AzureActiveDirectory |
| 10 | dataTypes: |
| 11 | - SigninLogs |
| 12 | - connectorId: AzureActiveDirectory |
| 13 | dataTypes: |
| 14 | - AADNonInteractiveUserSignInLogs |
| 15 | queryFrequency: 1h |
| 16 | queryPeriod: 1h |
| 17 | triggerOperator: gt |
| 18 | triggerThreshold: 0 |
| 19 | tactics: |
| 20 | - InitialAccess |
| 21 | relevantTechniques: |
| 22 | - T1078 |
| 23 | tags: |
| 24 | - Solorigate |
| 25 | - NOBELIUM |
| 26 | query: | |
| 27 | let aadFunc = (tableName:string){ |
| 28 | table(tableName) |
| 29 | | where AppId =~ "1b730954-1685-4b74-9bfd-dac224a7b894" // AppDisplayName IS Azure Active Directory PowerShell |
| 30 | | where TokenIssuerType =~ "AzureAD" |
| 31 | | where ResourceIdentity !in ("00000002-0000-0000-c000-000000000000", "00000003-0000-0000-c000-000000000000") // ResourceDisplayName IS NOT Windows Azure Active Directory OR Microsoft Graph |
| 32 | | extend Status = todynamic(Status) |
| 33 | | where Status.errorCode == 0 // Success |
| 34 | | project-reorder IPAddress, UserAgent, ResourceDisplayName, UserDisplayName, UserId, UserPrincipalName, Type |
| 35 | | order by TimeGenerated desc |
| 36 | // New entity mapping |
| 37 | | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress |
| 38 | }; |
| 39 | let aadSignin = aadFunc("SigninLogs"); |
| 40 | let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs"); |
| 41 | union isfuzzy=true aadSignin, aadNonInt |
| 42 | entityMappings: |
| 43 | - entityType: Account |
| 44 | fieldMappings: |
| 45 | - identifier: FullName |
| 46 | columnName: AccountCustomEntity |
| 47 | - entityType: IP |
| 48 | fieldMappings: |
| 49 | - identifier: Address |
| 50 | columnName: IPCustomEntity |
| 51 | version: 1.0.1 |
| 52 | kind: Scheduled |