security_content icon indicating copy to clipboard operation
security_content copied to clipboard

Published 20 hours ago verified publisher icon splunk

Nterl0k [T1098] - O365 Azure Workload things

Open nterl0k opened this issue 10 months ago • 0 comments

Details

This PR includes a number of detections written for the O365 Azure Active Directory workload from the universal audit log (o365 management activity). A few of the detections are 1:1 duplicates of existing ESCU content or expands coverage, only adapted for a slightly easier to access data source. Other detections are focused on monitoring sensitive changes to a number of Azure external access settings.

These detections also extract either the User Principal or Service Principal from the Actor field. Recommend profile your azure environments to populate this data into Assets and Identities.

This PR also includes a number of changes to the "lookups/privileged_azure_ad_roles" lookup and lookup definition, mainly for the purpose of including more known privileged Azure groups relevant in 2024, none of the previous groups were removed.

An additional column has been added to also include the "Template ID" for all groups, which is an immutable GUID used by MS. This GUI should allow for more accurate detections if/when Microsoft changes the string values of well-known objects. (https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference)

Changes to lookup should be backward compatible with existing content.

pending data PR https://github.com/splunk/attack_data/pull/891

Checklist

  • [ ] Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • [ ] CI/CD jobs passed ✔️
  • [ ] Validated SPL logic.
  • [ ] Validated tags, description, and how to implement.
  • [ ] Verified references match analytic.

nterl0k avatar Apr 13 '24 19:04 nterl0k