From 35d3b787f1f2ac5912205ec34d28a8019776c396 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 25 Mar 2025 11:44:58 -0400 Subject: [PATCH 1/7] tuning 'Microsoft Entra ID Rare Authentication Requirement for Principal User' --- ...hentication_requirement_for_principal_user.toml | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml index 6e7e09e5912..6c6c1b02233 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml @@ -2,7 +2,7 @@ creation_date = "2025/03/10" integration = ["azure"] maturity = "production" -updated_date = "2025/03/10" +updated_date = "2025/03/25" [rule] author = ["Elastic"] @@ -16,10 +16,10 @@ from = "now-9m" index = ["filebeat-*", "logs-azure*"] language = "kuery" license = "Elastic License v2" -name = "Azure Entra ID Rare Authentication Requirement for Principal User" +name = "Microsoft Entra ID Rare Authentication Requirement for Principal User" note = """## Triage and analysis -### Investigating Azure Entra ID Rare Authentication Requirement for Principal User +### Investigating Microsoft Entra ID Rare Authentication Requirement for Principal User Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. @@ -72,8 +72,8 @@ severity = "medium" tags = [ "Domain: Cloud", "Data Source: Azure", - "Data Source: Entra ID", - "Data Source: Entra ID Sign-in", + "Data Source: Microsoft Entra ID", + "Data Source: Microsoft Entra ID Sign-in Logs", "Use Case: Identity and Access Audit", "Use Case: Threat Detection", "Tactic: Initial Access", @@ -85,8 +85,10 @@ type = "new_terms" query = ''' event.dataset: "azure.signinlogs" and event.category: "authentication" and azure.signinlogs.properties.user_type: "Member" - and not azure.signinlogs.properties.client_app_used: "Browser" + and azure.signinlogs.properties.authentication_details.authentication_method: "Password" + and not azure.signinlogs.properties.device_detail.browser: * and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK" + and not azure.signinlogs.properties.authentication_requirement: "multiFactorAuthentication" ''' From 605e54e60d89d3f433bfb8ac06bfe86cf510123d Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 25 Mar 2025 12:22:47 -0400 Subject: [PATCH 2/7] updated MITRE ATT&CK mappings --- ...ication_requirement_for_principal_user.toml | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml index 6c6c1b02233..8b8559cc4db 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml @@ -110,6 +110,24 @@ id = "TA0001" name = "Initial Access" reference = "https://attack.mitre.org/tactics/TA0001/" +[[rule.threat]] +framework = "MITRE ATT&CK" +[[rule.threat.technique]] +id = "T1110" +name = "Brute Force" +reference = "https://attack.mitre.org/techniques/T1110/" +[[rule.threat.technique.subtechnique]] +id = "T1110.003" +name = "Password Spraying" +reference = "https://attack.mitre.org/techniques/T1110/003/" + + + +[rule.threat.tactic] +id = "TA0006" +name = "Credential Access" +reference = "https://attack.mitre.org/tactics/TA0006/" + [rule.new_terms] field = "new_terms_fields" value = [ From cfe0b5e60dee7aea5137b424deea1056b867f5cd Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 27 Mar 2025 10:08:05 -0400 Subject: [PATCH 3/7] updated index target --- detection_rules/etc/non-ecs-schema.json | 3 ++- ...tra_rare_authentication_requirement_for_principal_user.toml | 2 +- 2 files changed, 3 insertions(+), 2 deletions(-) diff --git a/detection_rules/etc/non-ecs-schema.json b/detection_rules/etc/non-ecs-schema.json index 28640fbccc9..e53607fec7d 100644 --- a/detection_rules/etc/non-ecs-schema.json +++ b/detection_rules/etc/non-ecs-schema.json @@ -172,7 +172,8 @@ }, "logs-azure.signinlogs-*": { "azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword", - "azure.signinlogs.properties.original_transfer_method": "keyword" + "azure.signinlogs.properties.original_transfer_method": "keyword", + "azure.signinlogs.properties.authentication_details.authentication_method": "keyword" }, "logs-azure.activitylogs-*": { "azure.activitylogs.properties.authentication_protocol": "keyword", diff --git a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml index 8b8559cc4db..be3ebf75d6f 100644 --- a/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml +++ b/rules/integrations/azure/initial_access_entra_rare_authentication_requirement_for_principal_user.toml @@ -13,7 +13,7 @@ an attempt to bypass conditional access policies (CAP) and multi-factor authenti authentication requirements specified may not be commonly used by the user based on their historical sign-in activity. """ from = "now-9m" -index = ["filebeat-*", "logs-azure*"] +index = ["filebeat-*", "logs-azure.signinlogs-*"] language = "kuery" license = "Elastic License v2" name = "Microsoft Entra ID Rare Authentication Requirement for Principal User" From db85a6e21ce39b97a8cba41a10a628ed1ac4fb42 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Thu, 27 Mar 2025 10:08:49 -0400 Subject: [PATCH 4/7] updated patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index a80fd2c0470..86441ff8818 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.4" +version = "1.0.5" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From dd3a11b4b87abe23e64bdd196032b4de7da13f76 Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Mon, 14 Apr 2025 09:31:25 -0400 Subject: [PATCH 5/7] updating patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 86441ff8818..49958ed78fa 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.5" +version = "1.0.6" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From ee449b611108b267a8c9529b0b6536ab0b61220a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Tue, 15 Apr 2025 14:55:45 -0400 Subject: [PATCH 6/7] bumping patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 49958ed78fa..d7d73d5df21 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.6" +version = "1.0.7" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12" From 70bdc4bc5dfdb6d60dc6ea455070296f7090e23a Mon Sep 17 00:00:00 2001 From: terrancedejesus Date: Wed, 16 Apr 2025 11:56:09 -0400 Subject: [PATCH 7/7] updating patch version --- pyproject.toml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index d7d73d5df21..4ddef332a34 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -1,6 +1,6 @@ [project] name = "detection_rules" -version = "1.0.7" +version = "1.0.8" description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine." readme = "README.md" requires-python = ">=3.12"