diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 28640fbccc9..e53607fec7d 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -172,7 +172,8 @@ }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword", - "azure.signinlogs.properties.original_transfer_method": "keyword" + "azure.signinlogs.properties.original_transfer_method": "keyword", + "azure.signinlogs.properties.authentication_details.authentication_method": "keyword" }, "logs-azure.activitylogs-*": { "azure.activitylogs.properties.authentication_protocol": "keyword", diff --git a/pyproject.toml b/pyproject.toml index d7d73d5df21..4ddef332a34 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.7" +version = "1.0.8" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml index 6e7e09e5912..be3ebf75d6f 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/10" +updated_date = "2025/03/25" [rule] author = ["Elastic"] @@ -13,13 +13,13 @@ an attempt to bypass conditional access policies (CAP) and multi-factor authenti authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" -name = "Azure Entra ID Rare Authentication Requirement for Principal User" +name = "Microsoft Entra ID Rare Authentication Requirement for Principal User" note = """## Triage and analysis -### Investigating Azure Entra ID Rare Authentication Requirement for Principal User +### Investigating Microsoft Entra ID Rare Authentication Requirement for Principal User Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. @@ -72,8 +72,8 @@ severity = "medium" tags = [ "Domain: Cloud", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Initial Access", @@ -85,8 +85,10 @@ type = "new_terms" query = ''' event.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.user_type: "Member" - and not azure.signinlogs.properties.client_app_used: "Browser" + and azure.signinlogs.properties.authentication_details.authentication_method: "Password" + and not azure.signinlogs.properties.device_detail.browser: * and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK" + and not azure.signinlogs.properties.authentication_requirement: "multiFactorAuthentication" ''' @@ -108,6 +110,24 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = [