Deployable detection rules
2,088 vendor-native detections · ready to paste into your SIEM · cross-linked to ATT&CK
◈
Detections
50 shown of 2,088Allow Network Discovery In Firewall
The following analytic detects a suspicious modification to the firewall to allow network discovery on a machine. It leverages data from Endpoint Detection and Response (EDR) agents, focusing on command-line executions involving the 'netsh' command to enable network discovery. This activity is significant because it is commonly used by ransomware, such as REvil and RedDot, to discover and compromise additional machines on the network. If confirmed malicious, this could lead to widespread file encryption across multiple hosts, significantly amplifying the impact of the ransomware attack.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_netsh` Processes.process= "*firewall*" Processes.process= "*group=\"Network Discovery\"*" Processes.process="*enable*" Processes.process="*Yes*"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `allow_network_discovery_in_firewall_filter`Allow Operation with Consent Admin
The following analytic detects a registry modification that allows the 'Consent Admin' to perform operations requiring elevation without user consent or credentials. It leverages data from the Endpoint.Registry data model, specifically monitoring changes to the 'ConsentPromptBehaviorAdmin' value within the Windows Policies System registry path. This activity is significant as it indicates a potential privilege escalation attempt, which could allow an attacker to execute high-privilege tasks without user approval. If confirmed malicious, this could lead to unauthorized administrative access and control over the compromised machine, posing a severe security risk.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*\\Microsoft\\Windows\\CurrentVersion\\Policies\\System*" Registry.registry_value_name = ConsentPromptBehaviorAdmin Registry.registry_value_data = "0x00000000") by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `allow_operation_with_consent_admin_filter`
Amazon EKS Kubernetes Pod scan detection
The following analytic detects unauthenticated requests made against the Kubernetes Pods API, indicating potential unauthorized access attempts. It leverages the `aws_cloudwatchlogs_eks` data source, filtering for events where `user.username` is "system:anonymous", `verb` is "list", and `objectRef.resource` is "pods", with `requestURI` set to "/api/v1/pods". This activity is significant as it may signal attempts to access sensitive resources or execute unauthorized commands within the Kubernetes environment. If confirmed malicious, such access could lead to data compromise, unauthorized command execution, or lateral movement within the cluster.
Show query
`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" verb=list objectRef.resource=pods requestURI="/api/v1/pods"
| rename source as cluster_name sourceIPs{} as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(responseStatus.code) values(userAgent) values(verb) values(requestURI)
BY src_ip cluster_name user.username
user.groups{}
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `amazon_eks_kubernetes_pod_scan_detection_filter`Amazon EKS Kubernetes cluster scan detection
The following analytic detects unauthenticated requests to an Amazon EKS Kubernetes cluster, specifically identifying actions by the "system:anonymous" user. It leverages AWS CloudWatch Logs data, focusing on user agents and authentication details. This activity is significant as it may indicate unauthorized scanning or probing of the Kubernetes cluster, which could be a precursor to an attack. If confirmed malicious, this could lead to unauthorized access, data exfiltration, or disruption of services within the Kubernetes environment.
Show query
`aws_cloudwatchlogs_eks` "user.username"="system:anonymous" userAgent!="AWS Security Scanner"
| rename sourceIPs{} as src_ip
| stats count min(_time) as firstTime max(_time) as lastTime values(responseStatus.reason) values(source) as cluster_name values(responseStatus.code) values(userAgent) as http_user_agent values(verb) values(requestURI)
BY src_ip user.username user.groups{}
| `security_content_ctime(lastTime)`
| `security_content_ctime(firstTime)`
| `amazon_eks_kubernetes_cluster_scan_detection_filter`Anomalous usage of 7zip
The following analytic detects the execution of 7z.exe, a 7-Zip utility, spawned from rundll32.exe or dllhost.exe. This behavior is identified using Endpoint Detection and Response (EDR) telemetry, focusing on process names and parent processes. This activity is significant as it may indicate an adversary attempting to use 7-Zip for data exfiltration, often by renaming the executable to evade detection. If confirmed malicious, this could lead to unauthorized data archiving and exfiltration, compromising sensitive information and potentially leading to further system exploitation.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE (Processes.parent_process_name IN ("rundll32.exe", "dllhost.exe") Processes.process_name=*7z*) AND NOT Processes.process_path = "C:\\Program Files\\VMware\\VMware Tools\\7za.exe"
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name(Processes)`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `anomalous_usage_of_7zip_filter`Attacker Tools On Endpoint
The following analytic detects the execution of tools commonly exploited by cybercriminals, such as those used for unauthorized access, network scanning, privilege escalation, password dumping or data exfiltration.
It leverages process activity data from Endpoint Detection and Response (EDR) agents, focusing on known attacker tool names.
This activity is significant because it serves as an early warning system for potential security incidents, enabling prompt response. If confirmed malicious, this activity could lead to unauthorized access, data theft, or further network compromise, posing a severe threat to the organization's security infrastructure.
Show query
| tstats `security_content_summariesonly`
count min(_time) as firstTime
max(_time) as lastTime
values(Processes.process) as process
values(Processes.parent_process) as parent_process
FROM datamodel=Endpoint.Processes WHERE [
| inputlookup attacker_tools
| rename attacker_tool_names AS Processes.process_name
| fields Processes.process_name
]
AND
Processes.dest!=unknown
Processes.user!=unknown
by Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec
Processes.parent_process_guid Processes.parent_process_id
Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `drop_dm_object_name(Processes)`
| lookup attacker_tools attacker_tool_names AS process_name OUTPUT description
| search description !=false
| `attacker_tools_on_endpoint_filter`Attempt To Add Certificate To Untrusted Store
The following analytic detects attempts to add a certificate to the untrusted
certificate store using the 'certutil -addstore' command.
It leverages process activity and command-line arguments from Endpoint Detection and Response (EDR) logs mapped to the Splunk `Processes` data model.
This activity is significant as it may indicate an attacker trying to disable security tools to gain unauthorized access.
If confirmed malicious, this could lead to the compromise of system security, allowing attackers
to bypass defenses and potentially escalate privileges or persist in the environment.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime values(Processes.process) as process max(_time) as lastTime FROM datamodel=Endpoint.Processes
WHERE `process_certutil` (Processes.process=*-addstore*)
BY Processes.action Processes.dest Processes.original_file_name
Processes.parent_process Processes.parent_process_exec Processes.parent_process_guid
Processes.parent_process_id Processes.parent_process_name Processes.parent_process_path
Processes.process Processes.process_exec Processes.process_guid
Processes.process_hash Processes.process_id Processes.process_integrity_level
Processes.process_name Processes.process_path Processes.user
Processes.user_id Processes.vendor_product
| `drop_dm_object_name("Processes")`
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `attempt_to_add_certificate_to_untrusted_store_filter`Auto Admin Logon Registry Entry
The following analytic detects a suspicious registry modification that enables auto admin logon on a host. It leverages data from the Endpoint.Registry data model, specifically looking for changes to the "AutoAdminLogon" value within the "SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon" registry path. This activity is significant because it was observed in BlackMatter ransomware attacks to maintain access after a safe mode reboot, facilitating further encryption. If confirmed malicious, this could allow attackers to automatically log in and continue their operations, potentially leading to widespread network encryption and data loss.
Show query
| tstats `security_content_summariesonly` count min(_time) as firstTime max(_time) as lastTime FROM datamodel=Endpoint.Registry WHERE (Registry.registry_path= "*SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon*" AND Registry.registry_value_name=AutoAdminLogon AND Registry.registry_value_data=1) by Registry.action Registry.dest Registry.process_guid Registry.process_id Registry.registry_hive Registry.registry_path Registry.registry_key_name Registry.registry_value_data Registry.registry_value_name Registry.registry_value_type Registry.status Registry.user Registry.vendor_product | `drop_dm_object_name(Registry)` | where isnotnull(registry_value_data) | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `auto_admin_logon_registry_entry_filter`
Azure AD Admin Consent Bypassed by Service Principal
The following analytic identifies instances where a service principal in Azure Active Directory assigns app roles without standard admin consent. It uses Entra ID logs from the `azure_monitor_aad` data source, focusing on the "Add app role assignment to service principal" operation. This detection is significant as it highlights potential bypasses of critical administrative consent processes, which could lead to unauthorized privileges being granted. If confirmed malicious, this activity could allow attackers to exploit automation to assign sensitive permissions without proper oversight, potentially compromising the security of the Azure AD environment.
Show query
`azure_monitor_aad` (operationName="Add app role assignment to service principal" OR operationName="Add member to role*") src_user_type=servicePrincipal | rename properties.* as * | eval roleId = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | eval roleValue = mvindex('targetResources{}.modifiedProperties{}.newValue',1) | eval roleDescription = mvindex('targetResources{}.modifiedProperties{}.newValue',2) | eval user_id = mvindex('targetResources{}.id', 0), user=coalesce(user,mvindex('targetResources{}.displayName',0)) | rename initiatedBy.app.displayName as src_user, userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product src_user user_id roleId roleValue roleDescription user_agent signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_admin_consent_bypassed_by_service_principal_filter`Azure AD Application Administrator Role Assigned
The following analytic identifies the assignment of the Application Administrator role to an Azure AD user. It leverages Azure Active Directory events, specifically monitoring the "Add member to role" operation. This activity is significant because users in this role can manage all aspects of enterprise applications, including credentials, which can be used to impersonate application identities. If confirmed malicious, an attacker could escalate privileges, manage application settings, and potentially access sensitive resources by impersonating application identities, posing a significant security risk to the Azure AD tenant.
Show query
`azure_monitor_aad` operationName="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="*Application Administrator*"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy, userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
user_agent signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_application_administrator_role_assigned_filter`Azure AD Authentication Failed During MFA Challenge
The following analytic identifies failed authentication attempts against an Azure AD tenant during the Multi-Factor Authentication (MFA) challenge, specifically flagged by error code 500121. It leverages Azure AD SignInLogs to detect these events. This activity is significant as it may indicate an adversary attempting to authenticate using compromised credentials on an account with MFA enabled. If confirmed malicious, this could suggest an ongoing effort to bypass MFA protections, potentially leading to unauthorized access and further compromise of the affected account.
Show query
`azure_monitor_aad` category=SignInLogs properties.status.errorCode=500121 | rename properties.* as *, authenticationDetails{}.* as * | eval time=strptime(authenticationStepDateTime,"%Y-%m-%dT%H:%M:%S") | eval auth_detail=mvzip(strftime(time, "%Y-%m-%dT%H:%M:%S"),authenticationStepResultDetail," - "), auth_msg=mvappend('status.additionalDetails', authenticationStepResultDetail) | eval auth_method=mvmap(authenticationMethod, if(isnull(mvfind('mfaDetail.authMethod',authenticationMethod)), authenticationMethod, null())) | search NOT auth_msg="MFA successfully completed" | rename userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product auth_method auth_msg user_agent signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_authentication_failed_during_mfa_challenge_filter`Azure AD AzureHound UserAgent Detected
This detection identifies the presence of the default AzureHound user-agent string within Microsoft Graph Activity logs and NonInteractive SignIn Logs. AzureHound is a tool used for gathering information about Azure Active Directory environments, often employed by security professionals for legitimate auditing purposes. However, it can also be leveraged by malicious actors to perform reconnaissance activities, mapping out the Azure AD infrastructure to identify potential vulnerabilities and targets for further exploitation. Detecting its usage can help in identifying unauthorized access attempts and preemptively mitigating potential security threats to your Azure environment.
Show query
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs, NonInteractiveUserSignInLogs) properties.userAgent=azurehound*
| rename properties.userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| iplocation src
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_azurehound_useragent_detected_filter`Azure AD Block User Consent For Risky Apps Disabled
The following analytic detects when the risk-based step-up consent security setting in Azure AD is disabled. It monitors Azure Active Directory logs for the "Update authorization policy" operation, specifically changes to the "AllowUserConsentForRiskyApps" setting. This activity is significant because disabling this feature can expose the organization to OAuth phishing threats by allowing users to grant consent to potentially malicious applications. If confirmed malicious, attackers could gain unauthorized access to user data and sensitive information, leading to data breaches and further compromise within the organization.
Show query
`azure_monitor_aad` operationName="Update authorization policy" | rename properties.* as * | eval index_number = if(mvfind('targetResources{}.modifiedProperties{}.displayName',"AllowUserConsentForRiskyApps") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName',"AllowUserConsentForRiskyApps"), -1) | search index_number >= 0 | eval AllowUserConsentForRiskyApps = mvindex('targetResources{}.modifiedProperties{}.newValue',index_number) | search AllowUserConsentForRiskyApps = "[true]" | rename userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product user_agent signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_block_user_consent_for_risky_apps_disabled_filter`Azure AD Concurrent Sessions From Different Ips
The following analytic detects an Azure AD account with concurrent sessions originating from multiple unique IP addresses within a 5-minute window. It leverages Azure Active Directory NonInteractiveUserSignInLogs to identify this behavior by analyzing successful authentication events and counting distinct source IPs. This activity is significant as it may indicate session hijacking, where an attacker uses stolen session cookies to access corporate resources from a different location. If confirmed malicious, this could lead to unauthorized access to sensitive information and potential data breaches.
Show query
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs action=success
| rename properties.* as *
| bucket span=5m _time
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) as unique_ips values(dest) as dest values(src) as src values(user_agent) as user_agent
BY user _time vendor_account
vendor_product category
| where unique_ips > 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_concurrent_sessions_from_different_ips_filter`Azure AD Device Code Authentication
The following analytic identifies Azure Device Code Phishing attacks, which can lead to Azure Account Take-Over (ATO). It leverages Azure AD SignInLogs to detect suspicious authentication requests using the device code authentication protocol. This activity is significant as it indicates potential bypassing of Multi-Factor Authentication (MFA) and Conditional Access Policies (CAPs) through phishing emails. If confirmed malicious, attackers could gain unauthorized access to Azure AD, Exchange mailboxes, and Outlook Web Application (OWA), leading to potential data breaches and unauthorized data access.
Show query
`azure_monitor_aad` category=SignInLogs "properties.authenticationProtocol"=deviceCode
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
category
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_device_code_authentication_filter`Azure AD External Guest User Invited
The following analytic detects the invitation of an external guest user within Azure AD. It leverages Azure AD AuditLogs to identify events where an external user is invited, using fields such as operationName and initiatedBy. Monitoring these invitations is crucial as they can lead to unauthorized access if abused. If confirmed malicious, this activity could allow attackers to gain access to internal resources, potentially leading to data breaches or further exploitation of the environment.
Show query
`azure_monitor_aad` operationName="Invite external user"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.type as type
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
initiatedBy type signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_external_guest_user_invited_filter`Azure AD FullAccessAsApp Permission Assigned
The following analytic detects the assignment of the 'full_access_as_app' permission to an application within Office 365 Exchange Online. This is identified by the GUID 'dc890d15-9560-4a4c-9b7f-a736ec74ec40' and the ResourceAppId '00000002-0000-0ff1-ce00-000000000000'. The detection leverages the azure_monitor_aad data source, focusing on AuditLogs with the operation name 'Update application'. This activity is significant as it grants broad control over Office 365 operations, including full access to all mailboxes and the ability to send emails as any user. If malicious, this could lead to unauthorized access and data exfiltration.
Show query
`azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.ResourceAppId"="00000002-0000-0ff1-ce00-000000000000" "{}.RequiredAppPermissions{}.EntitlementId"="dc890d15-9560-4a4c-9b7f-a736ec74ec40" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | rename properties.userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product user_agent Permissions object signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_fullaccessasapp_permission_assigned_filter`Azure AD Global Administrator Role Assigned
The following analytic detects the assignment of the Azure AD Global Administrator role to a user. It leverages Azure Active Directory AuditLogs to identify when the "Add member to role" operation includes the "Global Administrator" role. This activity is significant because the Global Administrator role grants extensive access to data, resources, and settings, similar to a Domain Administrator in traditional AD environments. If confirmed malicious, this could allow an attacker to establish persistence, escalate privileges, and potentially gain control over Azure resources, posing a severe security risk.
Show query
`azure_monitor_aad` operationName="Add member to role" properties.targetResources{}.modifiedProperties{}.newValue="*Global Administrator*"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
initiatedBy signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_global_administrator_role_assigned_filter`Azure AD High Number Of Failed Authentications For User
The following analytic identifies an Azure AD account experiencing more than 20 failed authentication attempts within a 10-minute window. This detection leverages Azure SignInLogs data, specifically monitoring for error code 50126 and unsuccessful authentication attempts. This behavior is significant as it may indicate a brute force attack targeting the account. If confirmed malicious, an attacker could potentially gain unauthorized access, leading to data breaches or further exploitation within the environment. Security teams should adjust the threshold based on their specific environment to reduce false positives.
Show query
`azure_monitor_aad`
category=SignInLogs
properties.status.errorCode=50126
properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bin span=10m _time
| fillnull value=null
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src values(user_agent) as user_agent by user _time vendor_account vendor_product
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_for_user_filter`
Azure AD High Number Of Failed Authentications From Ip
The following analytic detects an IP address with 20 or more failed authentication attempts to an Azure AD tenant within 10 minutes. It leverages Azure AD SignInLogs to identify repeated failed logins from the same IP. This behavior is significant as it may indicate a brute force attack aimed at gaining unauthorized access or escalating privileges. If confirmed malicious, the attacker could potentially compromise user accounts, leading to unauthorized access to sensitive information and resources within the Azure environment.
Show query
`azure_monitor_aad`
category=SignInLogs
properties.status.errorCode=50126
properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bin span=10m _time
| fillnull value=null
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user) as user values(user_agent) as user_agent by src _time vendor_account vendor_product
| where count > 20
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_high_number_of_failed_authentications_from_ip_filter`
Azure AD Multi-Factor Authentication Disabled
The following analytic detects attempts to disable multi-factor authentication (MFA) for an Azure AD user. It leverages Azure Active Directory AuditLogs to identify the "Disable Strong Authentication" operation. This activity is significant because disabling MFA can allow adversaries to maintain persistence using compromised accounts without raising suspicion. If confirmed malicious, this action could enable attackers to bypass an essential security control, potentially leading to unauthorized access and prolonged undetected presence in the environment.
Show query
`azure_monitor_aad` category=AuditLogs operationName="Disable Strong Authentication"
| rename properties.* as *
| rename targetResources{}.type as type
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
initiatedBy signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multi_factor_authentication_disabled_filter`Azure AD Multi-Source Failed Authentications Spike
The following analytic detects potential distributed password spraying attacks in an Azure AD environment. It identifies a spike in failed authentication attempts across various user-and-IP combinations from multiple source IPs and countries, using different user agents. This detection leverages Azure AD SignInLogs, focusing on error code 50126 for failed authentications. This activity is significant as it indicates an adversary's attempt to bypass security controls by distributing login attempts. If confirmed malicious, this could lead to unauthorized access, data breaches, privilege escalation, and lateral movement within the organization's infrastructure.
Show query
`azure_monitor_aad` category=*SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=5m _time
| eval uniqueIPUserCombo = src_ip . "-" . user
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(uniqueIPUserCombo) as uniqueIpUserCombinations, dc(user) as uniqueUsers, dc(src_ip) as uniqueIPs, dc(user_agent) as uniqueUserAgents, dc(location.countryOrRegion) as uniqueCountries values(location.countryOrRegion) as countries values(action) as action values(dest) as dest values(user) as user values(src) as src values(vendor_account) as vendor_account values(vendor_product) as vendor_product values(user_agent) as user_agent
| where uniqueIpUserCombinations > 20 AND uniqueUsers > 20 AND uniqueIPs > 20 AND uniqueUserAgents >= 1
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multi_source_failed_authentications_spike_filter`Azure AD Multiple AppIDs and UserAgents Authentication Spike
The following analytic detects unusual authentication activity in Azure AD, specifically when a single user account has over 8 authentication attempts using 3+ unique application IDs and 5+ unique user agents within a short period. It leverages Azure AD audit logs, focusing on authentication events and using statistical thresholds. This behavior is significant as it may indicate an adversary probing for MFA requirements. If confirmed malicious, it suggests a compromised account, potentially leading to further exploitation, lateral movement, and data exfiltration. Early detection is crucial to prevent substantial harm.
Show query
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" (properties.authenticationRequirement="multiFactorAuthentication" properties.status.additionalDetails="MFA required in Azure AD") OR (properties.authenticationRequirement=singleFactorAuthentication "properties.authenticationDetails{}.succeeded"=true)
| bucket span=5m _time
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count dc(appId) as unique_app_ids dc(user_agent) as unique_user_agents min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user_agent) as user_agent
BY user src vendor_account
vendor_product signature
| where count > 5 and unique_app_ids > 2 and unique_user_agents > 5
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_appids_and_useragents_authentication_spike_filter`Azure AD Multiple Denied MFA Requests For User
The following analytic detects an unusually high number of denied Multi-Factor Authentication (MFA) requests for a single user within a 10-minute window, specifically when more than nine MFA prompts are declined. It leverages Azure Active Directory (Azure AD) sign-in logs, focusing on "Sign-in activity" events with error code 500121 and additional details indicating "MFA denied; user declined the authentication." This behavior is significant as it may indicate a targeted attack or account compromise attempt, with the user actively declining unauthorized access. If confirmed malicious, it could lead to data exfiltration, lateral movement, or further malicious activities.
Show query
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity"
| rename properties.* as *
| search status.errorCode=500121 status.additionalDetails="MFA denied; user declined the authentication"
| bucket span=10m _time
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(user_agent) as user_agent values(src) as src
BY user status.additionalDetails vendor_account
vendor_product signature _time
| where count > 9
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_denied_mfa_requests_for_user_filter`Azure AD Multiple Failed MFA Requests For User
The following analytic identifies multiple failed multi-factor authentication (MFA) requests for a single user within an Azure AD tenant. It leverages Azure AD Sign-in Logs, specifically error code 500121, to detect more than 10 failed MFA attempts within 10 minutes. This behavior is significant as it may indicate an adversary attempting to bypass MFA by bombarding the user with repeated authentication prompts. If confirmed malicious, this activity could lead to unauthorized access, allowing attackers to compromise user accounts and potentially escalate their privileges within the environment.
Show query
`azure_monitor_aad` category=SignInLogs operationName="Sign-in activity" properties.status.errorCode=500121 properties.status.additionalDetails!="MFA denied; user declined the authentication"
| rename properties.* as *
| bucket span=10m _time
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime values(dest) as dest values(src) as src
BY user, status.additionalDetails, appDisplayName,
user_agent, vendor_account, vendor_product,
signature
| where count > 10
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_failed_mfa_requests_for_user_filter`Azure AD Multiple Service Principals Created by SP
The following analytic detects when a single service principal in Azure AD creates more than three unique OAuth applications within a 10-minute span. It leverages Azure AD audit logs, specifically monitoring the 'Add service principal' operation initiated by service principals. This behavior is significant as it may indicate an attacker using a compromised or malicious service principal to rapidly establish multiple service principals, potentially staging an attack. If confirmed malicious, this activity could facilitate network infiltration or expansion, allowing the attacker to gain unauthorized access and persist within the environment.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.app.appId=*
| rename properties.* as *
| bucket span=10m _time
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| rename initiatedBy.app.displayName as src_user
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(displayName) as unique_apps values(displayName) as displayName values(dest) as dest values(src) as src values(user) as user values(user_agent) as user_agent
BY src_user vendor_account vendor_product
signature
| where unique_apps > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_service_principals_created_by_sp_filter`Azure AD Multiple Service Principals Created by User
The following analytic identifies instances where a single user creates more than three unique OAuth applications within a 10-minute timeframe in Azure AD. It detects this activity by monitoring the 'Add service principal' operation and aggregating data in 10-minute intervals. This behavior is significant as it may indicate an adversary rapidly creating multiple service principals to stage an attack or expand their foothold within the network. If confirmed malicious, this activity could allow attackers to establish persistence, escalate privileges, or access sensitive information within the Azure environment.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| bucket span=10m _time
| rename targetResources{}.displayName as displayName
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(displayName) as unique_apps values(displayName) as displayName values(dest) as dest values(src) as src values(user) as user values(user_agent) as user_agent
BY src_user vendor_account vendor_product
signature
| where unique_apps > 3
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_service_principals_created_by_user_filter`Azure AD Multiple Users Failing To Authenticate From Ip
The following analytic detects a single source IP failing to authenticate with 30 unique valid users within 5 minutes in Azure Active Directory. It leverages Azure AD SignInLogs with error code 50126, indicating invalid passwords. This behavior is significant as it may indicate a Password Spraying attack, where an adversary attempts to gain initial access or elevate privileges by trying common passwords across many accounts. If confirmed malicious, this activity could lead to unauthorized access, data breaches, or privilege escalation within the Azure AD environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=5m _time
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(user) as unique_user values(dest) as dest values(user) as user values(user_agent) as user_agent values(vendor_account) as vendor_account values(vendor_product) as vendor_product
BY src signature
| where unique_user > 30
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_multiple_users_failing_to_authenticate_from_ip_filter`Azure AD New Custom Domain Added
The following analytic detects the addition of a new custom domain within an Azure Active Directory (AD) tenant. It leverages Azure AD AuditLogs to identify successful "Add unverified domain" operations. This activity is significant as it may indicate an adversary attempting to establish persistence by setting up identity federation backdoors, allowing them to impersonate users and bypass authentication mechanisms. If confirmed malicious, this could enable attackers to gain unauthorized access, escalate privileges, and maintain long-term access to the Azure AD environment, posing a severe security risk.
Show query
`azure_monitor_aad` operationName="Add unverified domain" properties.result=success
| rename properties.* as *
| rename targetResources{}.displayName as domain
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
domain signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_custom_domain_added_filter`Azure AD New Federated Domain Added
The following analytic detects the addition of a new federated domain within an Azure Active Directory tenant. It leverages Azure AD AuditLogs to identify successful "Set domain authentication" operations. This activity is significant as it may indicate the use of the Azure AD identity federation backdoor technique, allowing an adversary to establish persistence. If confirmed malicious, the attacker could impersonate any user, bypassing password and MFA requirements, potentially leading to unauthorized access and control over the Azure AD environment.
Show query
`azure_monitor_aad` operationName="Set domain authentication" "properties.result"=success
| rename properties.* as *
| rename targetResources{}.displayName as domain
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
domain signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_federated_domain_added_filter`Azure AD New MFA Method Registered
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for a user account in Azure Active Directory. It leverages Azure AD audit logs to identify changes in MFA configurations. This activity is significant because adding a new MFA method can indicate an attacker's attempt to maintain persistence on a compromised account. If confirmed malicious, the attacker could bypass existing security measures, solidify their access, and potentially escalate privileges, access sensitive data, or make unauthorized changes. Immediate verification and remediation are required to secure the affected account.
Show query
`azure_monitor_aad` operationName="Update user" | rename properties.* as * | eval propertyName = mvindex('targetResources{}.modifiedProperties{}.displayName',0) | search propertyName = StrongAuthenticationMethod | eval oldvalue = mvindex('targetResources{}.modifiedProperties{}.oldValue',0) | eval newvalue = mvindex('targetResources{}.modifiedProperties{}.newValue',0) | rex field=newvalue max_match=0 "(?i)(?<new_method_type>\"MethodType\")" | rex field=oldvalue max_match=0 "(?i)(?<old_method_type>\"MethodType\")" | eval count_new_method_type = coalesce(mvcount(new_method_type), 0) | eval count_old_method_type = coalesce(mvcount(old_method_type), 0) | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product newvalue oldvalue signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_new_mfa_method_registered_filter`Azure AD New MFA Method Registered For User
The following analytic detects the registration of a new Multi-Factor Authentication (MFA) method for an Azure AD account. It leverages Azure AD AuditLogs to identify when a user registers new security information. This activity is significant because adversaries who gain unauthorized access to an account may add their own MFA method to maintain persistence. If confirmed malicious, this could allow attackers to bypass existing security controls, maintain long-term access, and potentially escalate their privileges within the environment.
Show query
`azure_monitor_aad` category=AuditLogs operationName="User registered security info" properties.operationType=Add
| rename properties.* as *
| rename targetResources{}.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY action dest user
src vendor_account vendor_product
user_agent result resultDescription
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_new_mfa_method_registered_for_user_filter`Azure AD OAuth Application Consent Granted By User
The following analytic detects when a user in an Azure AD environment grants consent to an OAuth application. It leverages Azure AD audit logs to identify events where users approve application consents. This activity is significant as it can expose organizational data to third-party applications, a common tactic used by malicious actors to gain unauthorized access. If confirmed malicious, this could lead to unauthorized access to sensitive information and resources. Immediate investigation is required to validate the application's legitimacy, review permissions, and mitigate potential risks.
Show query
`azure_monitor_aad` operationName="Consent to application" properties.result=success | rename properties.* as * | eval permissions_index = if(mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions") >= 0, mvfind('targetResources{}.modifiedProperties{}.displayName', "ConsentAction.Permissions"), -1) | eval permissions = mvindex('targetResources{}.modifiedProperties{}.newValue',permissions_index) | rex field=permissions "Scope: (?<Scope> [ ^,]+)" | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product Scope signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_oauth_application_consent_granted_by_user_filter`Azure AD PIM Role Assigned
The following analytic detects the assignment of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user is added as an eligible member to a PIM role. This activity is significant because PIM roles grant elevated privileges, and their assignment should be closely monitored to prevent unauthorized access. If confirmed malicious, an attacker could exploit this to gain privileged access, potentially leading to unauthorized actions, data breaches, or further compromise of the environment.
Show query
`azure_monitor_aad` operationName="Add eligible member to role in PIM completed*"
| rename properties.* as *
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src_user
vendor_account vendor_product signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_pim_role_assigned_filter`Azure AD PIM Role Assignment Activated
The following analytic detects the activation of an Azure AD Privileged Identity Management (PIM) role. It leverages Azure Active Directory events to identify when a user activates a PIM role assignment, indicated by the "Add member to role completed (PIM activation)" operation. Monitoring this activity is crucial as PIM roles grant elevated privileges, and unauthorized activation could indicate an adversary attempting to gain privileged access. If confirmed malicious, this could lead to unauthorized administrative actions, data breaches, or further compromise of the Azure environment.
Show query
`azure_monitor_aad` operationName="Add member to role completed (PIM activation)"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_pim_role_assignment_activated_filter`Azure AD Privileged Authentication Administrator Role Assigned
The following analytic detects the assignment of the Privileged Authentication Administrator role to an Azure AD user. It leverages Azure Active Directory audit logs to identify when this specific role is assigned. This activity is significant because users in this role can set or reset authentication methods for any user, including those in privileged roles like Global Administrators. If confirmed malicious, an attacker could change credentials and assume the identity and permissions of high-privilege users, potentially leading to unauthorized access to sensitive information and critical configurations.
Show query
`azure_monitor_aad` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\""
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_authentication_administrator_role_assigned_filter`Azure AD Privileged Graph API Permission Assigned
The following analytic detects the assignment of high-risk Graph API permissions in Azure AD, specifically Application.ReadWrite.All, AppRoleAssignment.ReadWrite.All, and RoleManagement.ReadWrite.Directory. It uses azure_monitor_aad data to scan AuditLogs for 'Update application' operations, identifying when these permissions are assigned. This activity is significant as it grants broad control over Azure AD, including application and directory settings. If confirmed malicious, it could lead to unauthorized modifications and potential security breaches, compromising the integrity and security of the Azure AD environment. Immediate investigation is required.
Show query
`azure_monitor_aad` category=AuditLogs operationName="Update application" | eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0) | spath input=newvalue | search "{}.RequiredAppPermissions{}.EntitlementId"=" 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId" ="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId" ="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8" | eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId' | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product Permissions signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_privileged_graph_api_permission_assigned_filter`Azure AD Privileged Role Assigned
The following analytic detects the assignment of privileged Azure Active Directory roles to a user. It leverages Azure AD audit logs, specifically monitoring the "Add member to role" operation. This activity is significant as adversaries may assign privileged roles to compromised accounts to maintain persistence within the Azure AD environment. If confirmed malicious, this could allow attackers to escalate privileges, access sensitive information, and maintain long-term control over the Azure AD infrastructure.
Show query
`azure_monitor_aad` "operationName"="Add member to role"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.modifiedProperties{}.newValue as roles
| eval role=mvindex(roles,1)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
result role signature
| lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description
| search isprvilegedadrole = True
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_role_assigned_filter`Azure AD Privileged Role Assigned to Service Principal
The following analytic detects the assignment of privileged roles to service principals in Azure Active Directory (AD). It leverages the AuditLogs log category from ingested Azure AD events. This activity is significant because assigning elevated permissions to non-human entities can lead to unauthorized access or malicious activities. If confirmed malicious, attackers could exploit these service principals to gain elevated access to Azure resources, potentially compromising sensitive data and critical infrastructure. Monitoring this behavior helps prevent privilege escalation and ensures the security of Azure environments.
Show query
`azure_monitor_aad` operationName="Add member to role"
| rename properties.* as *
| search "targetResources{}.type"=ServicePrincipal
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.modifiedProperties{}.newValue as roles
| eval role=mvindex(roles,1)
| rename targetResources{}.displayName as apps
| eval displayName=mvindex(apps,0)
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product displayName
initiatedBy result role
signature
| lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description
| search isprvilegedadrole = True
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_role_assigned_to_service_principal_filter`Azure AD Service Principal Authentication
The following analytic identifies authentication events of service principals in Azure Active Directory. It leverages the `azure_monitor_aad` data source, specifically targeting "Sign-in activity" within ServicePrincipalSignInLogs. This detection gathers details such as sign-in frequency, timing, source IPs, and accessed resources. Monitoring these events is significant for SOC teams to distinguish between normal application authentication and potential anomalies, which could indicate compromised credentials or malicious activities. If confirmed malicious, attackers could gain unauthorized access to resources, leading to data breaches or further exploitation within the environment.
Show query
`azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs
| rename properties.* as *
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product resourceDisplayName
resourceId signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_authentication_filter`Azure AD Service Principal Created
The following analytic detects the creation of a Service Principal in an Azure AD environment. It leverages Azure Active Directory events ingested through EventHub, specifically monitoring the "Add service principal" operation. This activity is significant because Service Principals can be used by adversaries to establish persistence and bypass multi-factor authentication and conditional access policies. If confirmed malicious, this could allow attackers to maintain single-factor access to the Azure AD environment, potentially leading to unauthorized access to resources and prolonged undetected activity.
Show query
`azure_monitor_aad` operationName="Add service principal" properties.initiatedBy.user.id=*
| rename properties.* as *
| rename targetResources{}.displayName as displayName
| rename targetResources{}.type as type
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product displayName
result signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_created_filter`Azure AD Service Principal Enumeration
This detection leverages azure graph activity logs to identify when graph APIs have been used to identify 10 or more service principals. This type of behaviour is associated with tools such as Azure enumberation tools such as AzureHound or ROADtools.
Show query
`azure_monitor_aad` category IN (MicrosoftGraphActivityLogs) TERM(servicePrincipals)
| fillnull
| rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/beta\/servicePrincipals\/(?P<servicePrincipalb>.*?)\/"
| rex field="properties.requestUri" "https\:\/\/graph.microsoft.com\/v1.0\/servicePrincipals\/(?P<servicePrincipalv1>.*?)\/"
| eval spn=coalesce(servicePrincipalb,servicePrincipalv1)
| fillnull
| stats count min(_time) as _time dc(spn) as spn_count values(user_id) as user_id
BY dest user src
vendor_account vendor_product signature
| where spn_count>9
| `azure_ad_service_principal_enumeration_filter`Azure AD Service Principal New Client Credentials
The following analytic detects the addition of new credentials to Service Principals and Applications in Azure AD. It leverages Azure AD AuditLogs, specifically monitoring the "Update application*Certificates and secrets management" operation. This activity is significant as it may indicate an adversary attempting to maintain persistent access or escalate privileges within the Azure environment. If confirmed malicious, attackers could use these new credentials to log in as the service principal, potentially compromising sensitive accounts and resources, leading to unauthorized access and control over the Azure environment.
Show query
`azure_monitor_aad` category=AuditLogs operationName="Update application*Certificates and secrets management "
| rename properties.* as *
| rename targetResources{}.* as *
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product modifiedProperties{}.newValue
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_new_client_credentials_filter`Azure AD Service Principal Owner Added
The following analytic detects the addition of a new owner to a Service Principal within an Azure AD tenant. It leverages Azure Active Directory events from the AuditLog log category to identify this activity. This behavior is significant because Service Principals do not support multi-factor authentication or conditional access policies, making them a target for adversaries seeking persistence or privilege escalation. If confirmed malicious, this activity could allow attackers to maintain access to the Azure AD environment with single-factor authentication, potentially leading to unauthorized access and control over critical resources.
Show query
`azure_monitor_aad` operationName="Add owner to application"
| rename properties.* as *
| rename initiatedBy.user.userPrincipalName as initiatedBy
| rename targetResources{}.userPrincipalName as newOwner
| rename targetResources{}.modifiedProperties{}.newValue as displayName
| eval displayName = mvindex(displayName,1)
| where initiatedBy!=newOwner
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product initiatedBy
result newOwner displayName
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_owner_added_filter`Azure AD Service Principal Privilege Escalation
This detection identifies when an Azure Service Principal elevates privileges by adding themself to a new app role assignment.
Show query
`azure_monitor_aad` category=AuditLogs operationName="Add app role assignment to service principal" properties.initiatedBy.app.displayName=* properties.result=Success | spath path=properties{}.targetResources{}.modifiedProperties{} output=targetResources | rename properties.* as * | eval user="NA" | eval src="NA" | stats min(_time) as firstTime max(_time) as lastTime values(eval(mvfilter(match(targetResources, "AppRole.Value")))) as appRole, values(eval(mvfilter(match(targetResources, "ServicePrincipal.DisplayName")))) as targetServicePrincipal values(eval(mvindex('properties.targetResources{}.displayName',0))) as targetAppContext values(user_agent) as user_agent values(identity) as servicePrincipal values(properties.initiatedBy.app.servicePrincipalId) as servicePrincipalId by dest user src vendor_account vendor_product signature | spath input=appRole path=newValue output=appRole | spath input=targetServicePrincipal path=newValue output=targetServicePrincipal | eval appRole=trim(replace(appRole, "\"", "")), targetServicePrincipal=trim(replace(targetServicePrincipal, "\"", "")) | where servicePrincipal=targetServicePrincipal | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_service_principal_privilege_escalation_filter`Azure AD Successful Authentication From Different Ips
The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.
Show query
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs
| rename properties.* as *
| bucket span=30m _time
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) AS unique_ips values(dest) as dest values(src) as src
BY user vendor_account vendor_product
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where unique_ips > 1
| `azure_ad_successful_authentication_from_different_ips_filter`Azure AD Successful PowerShell Authentication
The following analytic identifies a successful authentication event against an Azure AD tenant using PowerShell cmdlets. This detection leverages Azure AD SignInLogs to identify successful logins where the appDisplayName is "Microsoft Azure PowerShell." This activity is significant because it is uncommon for regular, non-administrative users to authenticate using PowerShell, and it may indicate enumeration and discovery techniques by an attacker. If confirmed malicious, this activity could allow attackers to perform extensive reconnaissance, potentially leading to privilege escalation or further exploitation within the Azure environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.authenticationDetails{}.succeeded=true properties.appDisplayName="Microsoft Azure PowerShell"
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_powershell_authentication_filter`Azure AD Successful Single-Factor Authentication
The following analytic identifies a successful single-factor authentication event against Azure Active Directory. It leverages Azure SignInLogs data, specifically focusing on events where single-factor authentication succeeded. This activity is significant as it may indicate a misconfiguration, policy violation, or potential account takeover attempt. If confirmed malicious, an attacker could gain unauthorized access to the account, potentially leading to data breaches, privilege escalation, or further exploitation within the environment.
Show query
`azure_monitor_aad` category=SignInLogs properties.authenticationRequirement=singleFactorAuthentication properties.authenticationDetails{}.succeeded=true
| rename properties.* as *
| rename userAgent as user_agent
| fillnull
| stats count min(_time) as firstTime max(_time) as lastTime
BY dest user src
vendor_account vendor_product user_agent
signature
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_successful_single_factor_authentication_filter`Azure AD Tenant Wide Admin Consent Granted
The following analytic identifies instances where admin consent is granted to an application within an Azure AD tenant. It leverages Azure AD audit logs, specifically events related to the admin consent action within the ApplicationManagement category. This activity is significant because admin consent allows applications to access data across the entire tenant, potentially exposing vast amounts of organizational data. If confirmed malicious, an attacker could gain extensive and persistent access to sensitive data, leading to data exfiltration, espionage, further malicious activities, and potential compliance violations.
Show query
`azure_monitor_aad` operationName="Consent to application" | eval new_field=mvindex('properties.targetResources{}.modifiedProperties{}.newValue',4) | rename properties.* as * | rex field=new_field "ConsentType:(?<ConsentType> [^\,]+)" | rex field=new_field "Scope:(?<Scope> [^\,]+)" | search ConsentType = "*AllPrincipals*" | rename userAgent as user_agent | fillnull | stats count min(_time) as firstTime max(_time) as lastTime by dest user src vendor_account vendor_product ConsentType Scope signature | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)` | `azure_ad_tenant_wide_admin_consent_granted_filter`Azure AD Unusual Number of Failed Authentications From Ip
The following analytic identifies a single source IP failing to authenticate with multiple valid users, potentially indicating a Password Spraying attack against an Azure Active Directory tenant. It uses Azure SignInLogs data and calculates the standard deviation for source IPs, applying the 3-sigma rule to detect unusual numbers of failed authentication attempts. This activity is significant as it may signal an adversary attempting to gain initial access or elevate privileges. If confirmed malicious, this could lead to unauthorized access, privilege escalation, and potential compromise of sensitive information.
Show query
`azure_monitor_aad` category=SignInLogs properties.status.errorCode=50126 properties.authenticationDetails{}.succeeded=false
| rename properties.* as *
| bucket span=5m _time
| stats dc(userPrincipalName) AS unique_accounts values(userPrincipalName) as userPrincipalName values(dest) as dest values(user) as user
BY _time, src, vendor_account,
vendor_product
| eventstats avg(unique_accounts) as ip_avg, stdev(unique_accounts) as ip_std
BY src
| eval upperBound=(ip_avg+ip_std*3)
| eval isOutlier=if(unique_accounts > 10 and unique_accounts >= upperBound, 1,0)
| where isOutlier = 1
| `azure_ad_unusual_number_of_failed_authentications_from_ip_filter`Showing 101-150 of 2,088