From 3ae03bf887cbba5e647c5c45428e454af8fec908 Mon Sep 17 00:00:00 2001 From: Gowthamaraj rajendran Date: Wed, 28 Jun 2023 15:57:43 -0700 Subject: [PATCH] update T1098.003/azure_ad_assign_privileged_role/azure-audit.log Update SPL due to Log syntax change --- ...re_ad_application_administrator_role_assigned.yml | 12 ++++++------ ...ed_authentication_administrator_role_assigned.yml | 12 ++++++------ .../cloud/azure_ad_privileged_role_assigned.yml | 10 +++++----- 3 files changed, 17 insertions(+), 17 deletions(-) diff --git a/detections/cloud/azure_ad_application_administrator_role_assigned.yml b/detections/cloud/azure_ad_application_administrator_role_assigned.yml index bc539356c0..c07620fdc2 100644 --- a/detections/cloud/azure_ad_application_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_application_administrator_role_assigned.yml @@ -12,8 +12,8 @@ description: The following analytic identifies the assignment of the Application been granted access to a resource, such as the ability to create or update User or other objects, then a user assigned to this role could perform those actions while impersonating the application. This ability to impersonate the applications identity may be an elevation of privilege over what the user can do via their role assignments. Red teams and adversaries alike may abuse this role to escalate their privileges in an Azure AD tenant. -search: ' `azuread` "body.operationName"="Add member to role" "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" - | rename body.properties.* as * +search: ' `azuread` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Application Administrator\"" + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName @@ -57,10 +57,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 35 security_domain: endpoint tests: diff --git a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml index a970d1aae4..412cab40c2 100644 --- a/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_authentication_administrator_role_assigned.yml @@ -10,8 +10,8 @@ description: The following analytic identifies the assignment of the Privileged methods for any user in Azure Active Directory, including privileged roles like Global Administrators. Users with this role can change credentials for people who may have access to sensitive or private information or critical configuration inside and outside of Azure Active Directory. Changing the credentials of a user may mean the ability to assume that users identity and permissions. Red teams and adversaries alike may abuse this role to escalate their privileges. -search: ' `azuread` "body.operationName"="Add member to role" "body.properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" - | rename body.properties.* as * +search: ' `azuread` "operationName"="Add member to role" "properties.targetResources{}.modifiedProperties{}.newValue"="\"Privileged Authentication Administrator\"" + | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | stats values(userPrincipalName) by _time, initiatedBy, result, body.operationName @@ -51,10 +51,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 50 security_domain: identity tests: diff --git a/detections/cloud/azure_ad_privileged_role_assigned.yml b/detections/cloud/azure_ad_privileged_role_assigned.yml index 587b9b1738..ce6fe17565 100644 --- a/detections/cloud/azure_ad_privileged_role_assigned.yml +++ b/detections/cloud/azure_ad_privileged_role_assigned.yml @@ -10,7 +10,7 @@ description: The following analytic identifies the assignment of sensitive and p may assign these roles to a compromised account to establish Persistence in an Azure AD environment. data_source: [] -search: ' `azuread` "body.operationName"="Add member to role" | rename body.properties.* as * +search: ' `azuread` "operationName"="Add member to role" | rename properties.* as * | rename targetResources{}.userPrincipalName as userPrincipalName | rename initiatedBy.user.userPrincipalName as initiatedBy | rename targetResources{}.modifiedProperties{}.newValue as roles @@ -58,10 +58,10 @@ tags: - Splunk Cloud required_fields: - _time - - body.properties.targetResources{}.userPrincipalName - - body.properties.targetResources{}.type - - body.properties.initiatedBy.user.userPrincipalName - - body.properties.result + - properties.targetResources{}.userPrincipalName + - properties.targetResources{}.type + - properties.initiatedBy.user.userPrincipalName + - properties.result risk_score: 63 security_domain: audit tests: