diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index a93d754f2a7..e6d3889f9ce 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -167,7 +167,8 @@ "aws.cloudtrail.flattened.request_parameters.instanceId": "keyword" }, "logs-azure.signinlogs-*": { - "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword" + "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword", + "azure.signinlogs.properties.original_transfer_method": "keyword" }, "logs-azure.activitylogs-*": { "azure.activitylogs.properties.authentication_protocol": "keyword", diff --git a/pyproject.toml b/pyproject.toml index 6f045491f87..35a8eab7c6a 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "0.4.13" +version = "0.4.14" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml index ed509643d52..d73d391f8e3 100644 --- a/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml +++ b/rules/integrations/azure/credential_access_first_time_seen_device_code_auth.toml @@ -2,27 +2,89 @@ creation_date = "2024/10/14" integration = ["azure"] maturity = "production" -updated_date = "2025/01/15" +updated_date = "2025/02/18" [rule] author = ["Elastic", "Matteo Potito Giorgio"] description = """ -Identifies when a user is observed for the first time in the last 14 days authenticating using the deviceCode protocol. The device code authentication flow can be abused by attackers to phish users and steal access tokens to impersonate the victim. By its very nature, device code should only be used when logging in to devices without keyboards, where it is difficult to enter emails and passwords. +Identifies when a user is observed for the first time in the last 14 days authenticating using the device code +authentication workflow. This authentication workflow can be abused by attackers to phish users and steal access tokens +to impersonate the victim. By its very nature, device code should only be used when logging in to devices without +keyboards, where it is difficult to enter emails and passwords. """ from = "now-9m" index = ["filebeat-*", "logs-azure.signinlogs-*", "logs-azure.activitylogs-*"] language = "kuery" license = "Elastic License v2" name = "First Occurrence of Entra ID Auth via DeviceCode Protocol" -references =[ +note = """## Triage and analysis + +## Triage and Analysis + +### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol + +This rule detects the first instance of a user authenticating via the **DeviceCode** authentication protocol within a **14-day window**. The **DeviceCode** authentication workflow is designed for devices that lack keyboards, such as IoT devices and smart TVs. However, adversaries can abuse this mechanism by phishing users and stealing authentication tokens, leading to unauthorized access. + +### Possible Investigation Steps + +#### Identify the User and Authentication Details +- **User Principal Name (UPN)**: Review `azure.signinlogs.properties.user_principal_name` to identify the user involved in the authentication event. +- **User ID**: Check `azure.signinlogs.properties.user_id` for a unique identifier of the affected account. +- **Authentication Protocol**: Confirm that `azure.signinlogs.properties.authentication_protocol` is set to `deviceCode`. +- **Application Used**: Verify the application through `azure.signinlogs.properties.app_display_name` and `azure.signinlogs.properties.app_id` to determine if it is an expected application. + +#### Review the Source IP and Geolocation +- **Source IP Address**: Check `source.ip` and compare it with previous authentication logs to determine whether the login originated from a trusted or expected location. +- **Geolocation Details**: Analyze `source.geo.city_name`, `source.geo.region_name`, and `source.geo.country_name` to confirm whether the login location is suspicious. +- **ASN / ISP Details**: Review `source.as.organization.name` to check if the IP is associated with a known organization or cloud provider. + +#### Examine Multi-Factor Authentication (MFA) and Conditional Access +- **MFA Enforcement**: Review `azure.signinlogs.properties.applied_conditional_access_policies` to determine if MFA was enforced during the authentication. +- **Conditional Access Policies**: Check `azure.signinlogs.properties.conditional_access_status` to understand if conditional access policies were applied and if any controls were bypassed. +- **Authentication Method**: Look at `azure.signinlogs.properties.authentication_details` to confirm how authentication was satisfied (e.g., MFA via claim in token). + +#### Validate Device and Client Details +- **Device Information**: Review `azure.signinlogs.properties.device_detail.browser` to determine if the login aligns with the expected behavior of a device that lacks a keyboard. +- **User-Agent Analysis**: Inspect `user_agent.original` for anomalies, such as an unexpected operating system or browser. +- **Client Application**: Verify `azure.signinlogs.properties.client_app_used` to confirm whether the login was performed using a known client. + +#### Investigate Related Activities +- **Correlate with Phishing Attempts**: Check if the user recently reported phishing attempts or suspicious emails. +- **Monitor for Anomalous Account Activity**: Look for recent changes in the user's account settings, including password resets, role changes, or delegation of access. +- **Check for Additional DeviceCode Logins**: Review if other users in the environment have triggered similar authentication events within the same timeframe. + +## False Positive Analysis + +- **Legitimate Device Enrollment**: If the user is setting up a new device (e.g., a smart TV or kiosk), this authentication may be expected. +- **Automation or Scripting**: Some legitimate applications or scripts may leverage the `DeviceCode` authentication protocol for non-interactive logins. +- **Shared Devices in Organizations**: In cases where shared workstations or conference room devices are in use, legitimate users may trigger alerts. +- **Travel and Remote Work**: If the user is traveling or accessing from a new location, confirm legitimacy before taking action. + +## Response and Remediation + +- **Revoke Suspicious Access Tokens**: Immediately revoke any access tokens associated with this authentication event. +- **Investigate the User’s Recent Activity**: Review additional authentication logs, application access, and recent permission changes for signs of compromise. +- **Reset Credentials and Enforce Stronger Authentication**: + - Reset the affected user’s credentials. + - Enforce stricter MFA policies for sensitive accounts. + - Restrict `DeviceCode` authentication to only required applications. +- **Monitor for Further Anomalies**: + - Enable additional logging and anomaly detection for DeviceCode logins. + - Set up alerts for unauthorized access attempts using this authentication method. +- **Educate Users on Phishing Risks**: If phishing is suspected, notify the affected user and provide security awareness training on how to recognize and report phishing attempts. +- **Review and Adjust Conditional Access Policies**: + - Limit `DeviceCode` authentication to approved users and applications. + - Implement stricter geolocation-based authentication restrictions. +""" +references = [ "https://aadinternals.com/post/phishing/", - "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/" + "https://www.blackhillsinfosec.com/dynamic-device-code-phishing/", + "https://www.volexity.com/blog/2025/02/13/multiple-russian-threat-actors-targeting-microsoft-device-code-authentication/", + "https://learn.microsoft.com/en-us/entra/identity/conditional-access/concept-authentication-flows", ] risk_score = 47 rule_id = "af22d970-7106-45b4-b5e3-460d15333727" -setup = """ -This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected. -""" +setup = "This rule optionally requires Azure Sign-In logs from the Azure integration. Ensure that the Azure integration is correctly set up and that the required data is being collected.\n" severity = "medium" tags = [ "Domain: Cloud", @@ -36,43 +98,14 @@ timestamp_override = "event.ingested" type = "new_terms" query = ''' - event.dataset:(azure.activitylogs or azure.signinlogs) and - (azure.signinlogs.properties.authentication_protocol:deviceCode or azure.activitylogs.properties.authentication_protocol:deviceCode) and event.outcome:success +event.dataset:(azure.activitylogs or azure.signinlogs) + and ( + azure.signinlogs.properties.authentication_protocol:deviceCode or + azure.signinlogs.properties.original_transfer_method: "Device code flow" or + azure.activitylogs.properties.authentication_protocol:deviceCode + ) + and event.outcome:success ''' -note = """## Triage and analysis - -> **Disclaimer**: -> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs. - -### Investigating First Occurrence of Entra ID Auth via DeviceCode Protocol - -The DeviceCode protocol facilitates authentication for devices lacking keyboards, streamlining user access without manual credential entry. However, attackers can exploit this by phishing users to capture access tokens, enabling unauthorized access. The detection rule identifies new instances of this protocol use, flagging potential misuse by monitoring successful authentications within a 14-day window, thus aiding in early threat detection. - -### Possible investigation steps - -- Review the event logs to confirm the presence of the deviceCode protocol in the authentication process by checking the fields azure.signinlogs.properties.authentication_protocol or azure.activitylogs.properties.authentication_protocol. -- Verify the event outcome by examining the event.outcome field to ensure the authentication was successful. -- Identify the user associated with the authentication attempt and review their recent activity for any anomalies or signs of compromise. -- Check the device information to determine if the authentication was performed on a device that typically lacks a keyboard, which would justify the use of the deviceCode protocol. -- Investigate any recent phishing attempts or suspicious communications that could have targeted the user to capture their access tokens. -- Assess the risk score and severity to prioritize the investigation and determine if immediate action is required to mitigate potential threats. - -### False positive analysis - -- Legitimate device setup activities may trigger alerts when new devices without keyboards are being configured. To manage this, maintain a list of known devices and exclude their initial setup from triggering alerts. -- Regular use of shared devices in environments like conference rooms or kiosks can result in repeated alerts. Implement a policy to track and whitelist these shared devices to prevent unnecessary alerts. -- Automated scripts or applications using the deviceCode protocol for legitimate purposes might be flagged. Identify and document these scripts, then create exceptions for their activity to avoid false positives. -- Users who frequently travel and use different devices may trigger alerts. Monitor and verify these users' travel patterns and device usage, and consider excluding their known travel-related activities from the rule. - -### Response and remediation - -- Immediately revoke the access tokens associated with the suspicious deviceCode authentication to prevent further unauthorized access. -- Conduct a thorough review of the affected user's account activity to identify any unauthorized actions or data access that may have occurred. -- Reset the credentials of the affected user and enforce multi-factor authentication (MFA) to enhance account security. -- Isolate any devices that were authenticated using the deviceCode protocol to prevent potential lateral movement within the network. -- Notify the security operations team and escalate the incident to ensure a coordinated response and further investigation into potential phishing attempts. -- Implement additional monitoring for anomalous deviceCode protocol usage across the organization to detect similar threats in the future. -- Review and update access policies to restrict the use of the deviceCode protocol to only those devices and scenarios where it is absolutely necessary.""" [[rule.threat]] @@ -88,7 +121,6 @@ id = "TA0006" name = "Credential Access" reference = "https://attack.mitre.org/tactics/TA0006/" - [rule.new_terms] field = "new_terms_fields" value = ["azure.signinlogs.properties.user_principal_name"]