Created
September 22, 2020 22:36
-
-
Save pkhabazi/3c302c3124993536a3cb2166e10d2ac0 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Scheduled: | |
| - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | |
| displayname: Suspect Application Consent | |
| description: | | |
| This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. | |
| This could indicate that permissions to access the listed Azure App were provided to a malicious actor. | |
| Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. | |
| This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth | |
| For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities | |
| severity: High | |
| requiredDataConnectors: | |
| - connectorId: AzureActiveDirectory | |
| dataTypes: | |
| - AuditLogs | |
| queryFrequency: 2H | |
| queryPeriod: 7H | |
| triggerOperator: GreaterThan | |
| triggerThreshold: 3 | |
| tactics: | |
| - Persistence | |
| - LateralMovement | |
| - Collection | |
| playbookName: Playbook01 | |
| query: | | |
| AzureActivity | |
| | where TimeGenerated >= startofday(ago(7d)) | |
| | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" | |
| | where ActivityStatus == "Succeeded" | |
| | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(7d)), now(), 1d) by Caller | |
| | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) | |
| | where Slope > 0.2 | |
| | join kind=leftsemi ( | |
| // Last day's activity is anomalous | |
| AzureActivity | |
| | where TimeGenerated >= startofday(ago(1d)) | |
| | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" | |
| | where ActivityStatus == "Succeeded" | |
| | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(1d)), now(), 1d) by Caller | |
| | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) | |
| | where Slope >0.2 | |
| ) on Caller | |
| - id: 83ba3057-9ea3-4759-bf6a-933f2e5bc7ee | |
| displayname: Suspect Application Consent 02 | |
| description: | | |
| This will alert when the "Consent to application" operation occurs by a user that has not done this operation before or rarely does this. | |
| This could indicate that permissions to access the listed Azure App were provided to a malicious actor. | |
| Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. | |
| This may help detect the Oauth2 attack that can be initiated by this publicly available tool - https://github.com/fireeye/PwnAuth | |
| For further information on AuditLogs please see https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/reference-audit-activities | |
| severity: High | |
| requiredDataConnectors: | |
| - connectorId: AzureActiveDirectory | |
| dataTypes: | |
| - AuditLogs | |
| queryFrequency: 2H | |
| queryPeriod: 7H | |
| triggerOperator: GreaterThan | |
| triggerThreshold: 3 | |
| tactics: | |
| - Persistence | |
| - LateralMovement | |
| - Collection | |
| playbookName: Playbook01 | |
| query: | | |
| AzureActivity | |
| | where TimeGenerated >= startofday(ago(7d)) | |
| | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" | |
| | where ActivityStatus == "Succeeded" | |
| | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(7d)), now(), 1d) by Caller | |
| | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) | |
| | where Slope > 0.2 | |
| | join kind=leftsemi ( | |
| // Last day's activity is anomalous | |
| AzureActivity | |
| | where TimeGenerated >= startofday(ago(1d)) | |
| | where OperationName == "Create or Update Virtual Machine" or OperationName == "Create Deployment" | |
| | where ActivityStatus == "Succeeded" | |
| | make-series dResourceCount=dcount(ResourceId) default=0 on EventSubmissionTimestamp in range(startofday(ago(1d)), now(), 1d) by Caller | |
| | extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dResourceCount) | |
| | where Slope >0.2 | |
| ) on Caller |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment