Merge pull request #1991 from austinsonger/Azure-Rules

Azure rules
2024-11-07 01:45:21 +00:00 · 2021-09-04 08:43:00 +02:00 · 2021-09-04 08:43:00 +02:00 · 2d9e09ecc3
commit 2d9e09ecc3
parent 6780182c37 e7c5827776
5 changed files with 113 additions and 0 deletions
--- a/rules/cloud/azure/azure_application_deleted.yml
+++ b/rules/cloud/azure/azure_application_deleted.yml
@ -0,0 +1,23 @@
+title: Azure Application Deleted
+id: 410d2a41-1e6d-452f-85e5-abdd8257a823
+description: Identifies when a application is deleted in Azure.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/09/03
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message:
+            - Delete application
+            - Hard Delete application
+    condition: selection
+level: medium
+tags:
+    - attack.defense_evasion
+falsepositives:
+ - Application being deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Application deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
+++ b/rules/cloud/azure/azure_device_no_longer_managed_or_compliant.yml
@ -0,0 +1,21 @@
+title: Azure Device No Longer Managed or Compliant
+id: 542b9912-c01f-4e3f-89a8-014c48cdca7d
+description: Identifies when a device in azure is no longer managed or compliant
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/09/03
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message: 
+            - Device no longer compliant
+            - Device no longer managed
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Administrator may have forgotten to review the device. 
--- a/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
+++ b/rules/cloud/azure/azure_device_or_configuration_modified_or_deleted.yml
@ -0,0 +1,25 @@
+title: Azure Device or Configuration Modified or Deleted
+id: 46530378-f9db-4af9-a9e5-889c177d3881
+description: Identifies when a device or device configuration in azure is modified or deleted.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/09/03
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#core-directory
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message: 
+            - Delete device
+            - Delete device configuration
+            - Update device
+            - Update device configuration
+    condition: selection
+level: medium
+tags:
+    - attack.impact
+falsepositives:
+ - Device or device configuration being modified or deleted may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Device or device configuration modified or deleted from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
+++ b/rules/cloud/azure/azure_owner_removed_from_application_or_service_principal.yml
@ -0,0 +1,23 @@
+title: Azure Owner Removed From Application or Service Principal
+id: 636e30d5-3736-42ea-96b1-e6e2f8429fd6
+description: Identifies when a owner is was removed from a application or service principal in Azure.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/09/03
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message: 
+            - Remove owner from service principal
+            - Remove owner from application
+    condition: selection
+level: medium
+tags:
+    - attack.defense_evasion
+falsepositives:
+ - Owner being removed may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Owner removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.
--- a/rules/cloud/azure/azure_service_principal_removed.yml
+++ b/rules/cloud/azure/azure_service_principal_removed.yml
@ -0,0 +1,21 @@
+title: Azure Service Principal Removed
+id: 448fd1ea-2116-4c62-9cde-a92d120e0f08
+description: Identifies when a service principal was removed in Azure.
+author: Austin Songer @austinsonger
+status: experimental
+date: 2021/09/03
+references:
+    - https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities#application-proxy
+logsource:
+  service: azure.activitylogs
+detection:
+    selection:
+        properties.message: Remove service principal
+    condition: selection
+level: medium
+tags:
+    - attack.defense_evasion
+falsepositives:
+ - Service principal being removed may be performed by a system administrator. 
+ - Verify whether the user identity, user agent, and/or hostname should be making changes in your environment. 
+ - Service principal removed from unfamiliar users should be investigated. If known behavior is causing false positives, it can be exempted from the rule.