Skip to content
Merged
Show file tree
Hide file tree
Changes from 10 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
3 changes: 2 additions & 1 deletion detection_rules/etc/non-ecs-schema.json
Original file line number Diff line number Diff line change
Expand Up @@ -172,7 +172,8 @@
},
"logs-azure.signinlogs-*": {
"azure.signinlogs.properties.conditional_access_audiences.application_id": "keyword",
"azure.signinlogs.properties.original_transfer_method": "keyword"
Comment thread
terrancedejesus marked this conversation as resolved.
"azure.signinlogs.properties.original_transfer_method": "keyword",
"azure.signinlogs.properties.authentication_details.authentication_method": "keyword"
},
"logs-azure.activitylogs-*": {
"azure.activitylogs.properties.authentication_protocol": "keyword",
Expand Down
2 changes: 1 addition & 1 deletion pyproject.toml
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
[project]
name = "detection_rules"
version = "1.0.4"
version = "1.0.5"
description = "Detection Rules is the home for rules used by Elastic Security. This repository is used for the development, maintenance, testing, validation, and release of rules for Elastic Security’s Detection Engine."
readme = "README.md"
requires-python = ">=3.12"
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@
creation_date = "2025/03/10"
integration = ["azure"]
maturity = "production"
updated_date = "2025/03/10"
updated_date = "2025/03/25"

[rule]
author = ["Elastic"]
Expand All @@ -13,13 +13,13 @@ an attempt to bypass conditional access policies (CAP) and multi-factor authenti
authentication requirements specified may not be commonly used by the user based on their historical sign-in activity.
"""
from = "now-9m"
index = ["filebeat-*", "logs-azure*"]
index = ["filebeat-*", "logs-azure.signinlogs-*"]
language = "kuery"
license = "Elastic License v2"
name = "Azure Entra ID Rare Authentication Requirement for Principal User"
name = "Microsoft Entra ID Rare Authentication Requirement for Principal User"
note = """## Triage and analysis

### Investigating Azure Entra ID Rare Authentication Requirement for Principal User
### Investigating Microsoft Entra ID Rare Authentication Requirement for Principal User

Identifies rare instances of authentication requirements for Azure Entra ID principal users. An adversary with stolen credentials may attempt to authenticate with unusual authentication requirements, which is a rare event and may indicate an attempt to bypass conditional access policies (CAP) and multi-factor authentication (MFA) requirements. The authentication requirements specified may not be commonly used by the user based on their historical sign-in activity.

Expand Down Expand Up @@ -72,8 +72,8 @@ severity = "medium"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Data Source: Entra ID",
"Data Source: Entra ID Sign-in",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Sign-in Logs",
"Use Case: Identity and Access Audit",
"Use Case: Threat Detection",
"Tactic: Initial Access",
Expand All @@ -85,8 +85,10 @@ type = "new_terms"
query = '''
event.dataset: "azure.signinlogs" and event.category: "authentication"
and azure.signinlogs.properties.user_type: "Member"
and not azure.signinlogs.properties.client_app_used: "Browser"
and azure.signinlogs.properties.authentication_details.authentication_method: "Password"
and not azure.signinlogs.properties.device_detail.browser: *
and not source.as.organization.name: "MICROSOFT-CORP-MSN-AS-BLOCK"
and not azure.signinlogs.properties.authentication_requirement: "multiFactorAuthentication"
'''


Expand All @@ -108,6 +110,24 @@ id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"



[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"

[rule.new_terms]
field = "new_terms_fields"
value = [
Expand Down