Updating Azure Detections post BOTS

Author: dluxtron

detections/cloud/azure_ad_global_administrator_role_assigned.yml

@@ -1,8 +1,8 @@
 name: Azure AD Global Administrator Role Assigned
 id: 825fed20-309d-4fd1-8aaf-cd49c1bb093c
-version: 3
-date: '2022-08-17'
-author: Gowthamaraj Rajendran, Mauricio Velazco, Splunk
+version: 5
+date: '2024-06-25'
+author: Gowthamaraj Rajendran, Mauricio Velazco, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic identifies the assignment of the Azure AD Global
@@ -13,17 +13,20 @@ description: The following analytic identifies the assignment of the Azure AD Gl
   Azure services and resources, it is possible for a Global Administrator account
   to gain control of Azure resources. Adversaries and red teams alike may assign this
   role to a compromised account to establish Persistence or escalate their privileges in an Azure AD environment.
-data_source: []
-search: '`azuread` operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\""
-  | rename properties.* as *
-  | rename targetResources{}.userPrincipalName as userPrincipalName
-  | rename initiatedBy.user.userPrincipalName as initiatedBy
-  | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName
+data_source: 
+- Azure Active Directory Add member to role
+search: '`azure_monitor_aad`  operationName="Add member to role"  properties.targetResources{}.modifiedProperties{}.newValue="\"Global Administrator\""
+  | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName
+  | eval  initiatedBy = coalesce(userPrincipalName,src_user)
+  | eval user = coalesce(user,mvfilter(displayName!="null"))
+  | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName
+  | `security_content_ctime(firstTime)`
+  | `security_content_ctime(lastTime)` 
   | `azure_ad_global_administrator_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase(https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
-  Specifically, this analytic leverages the AuditLogs log category.
+  This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLogs log category.
 known_false_positives: Administrators may legitimately assign the Global Administrator
   role to a user. Filter as needed.
 references:
@@ -40,12 +43,12 @@ tags:
   asset_type: Azure Active Directory
   confidence: 90
   impact: 80
-  message: Global Administrator Role assigned for User $userPrincipalName$ initiated
+  message: Global Administrator Role assigned for User $user$ initiated
     by $initiatedBy$
   mitre_attack_id:
   - T1098.003
   observable:
-  - name: userPrincipalName
+  - name: user
     type: User
     role:
     - Victim
@@ -59,7 +62,7 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - properties.targetResources{}.userPrincipalName
+  - user
   - properties.targetResources{}.type
   - properties.initiatedBy.user.userPrincipalName
   - properties.result
@@ -69,6 +72,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_global_administrator/azure-audit.log
-    source: mscs:azure:eventhub
-    sourcetype: mscs:azure:eventhub
-    update_timestamp: true
+    source: Azure AD
+    sourcetype: azure:monitor:aad
+    update_timestamp: true

detections/cloud/azure_ad_privileged_role_assigned.yml

@@ -1,28 +1,32 @@
 name: Azure AD Privileged Role Assigned
 id: a28f0bc3-3400-4a6e-a2da-89b9e95f0d2a
-version: 1
-date: '2022-08-29'
+version: 4
+date: '2024-06-25'
 author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
 status: production
 type: TTP
 description: The following analytic identifies the assignment of sensitive and privileged
   Azure Active Directory roles to an Azure AD user. Adversaries and red teams alike
   may assign these roles to a compromised account to establish Persistence in an Azure
   AD environment.
-data_source: []
-search: ' `azuread` "operationName"="Add member to role" | rename properties.*  as * 
-  | rename targetResources{}.userPrincipalName as userPrincipalName 
-  | rename initiatedBy.user.userPrincipalName as initiatedBy 
+data_source: 
+- Azure Active Directory Add member to role
+search: ' `azure_monitor_aad`  "operationName"="Add member to role" 
+  | rename properties.* as *, initiatedBy.user.userPrincipalName as userPrincipalName, targetResources{}.displayName as displayName
+  | eval  initiatedBy = coalesce(userPrincipalName,src_user)
+  | eval user = coalesce(user,mvfilter(displayName!="null"))
   | rename targetResources{}.modifiedProperties{}.newValue  as roles 
-  | eval role=mvindex(roles,1) 
+  | eval role=mvindex(roles,1)
+  | stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by initiatedBy, result, operationName, role
   | lookup privileged_azure_ad_roles azureadrole AS role OUTPUT isprvilegedadrole description 
-  | search isprvilegedadrole = True
-  | stats values(userPrincipalName) as userPrincipalName by _time, initiatedBy, result, operationName, role, description 
+  | search isprvilegedadrole = True 
+  | `security_content_ctime(firstTime)` 
+  | `security_content_ctime(lastTime)`
   | `azure_ad_privileged_role_assigned_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment.
-  Specifically, this analytic leverages the AuditLogs log category.
+  This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the AuditLog log category.
 known_false_positives: Administrators will legitimately assign the privileged roles
   users as part of administrative tasks. Filter as needed.
 references:
@@ -35,16 +39,17 @@ references:
 tags:
   analytic_story:
   - Azure Active Directory Persistence
+  - NOBELIUM Group
   asset_type: Azure Active Directory
   confidence: 90
   impact: 70
-  message: A privileged Azure AD role was assigned for User $userPrincipalName$ initiated
+  message: A privileged Azure AD role was assigned for User $user$ initiated
     by $initiatedBy$
   mitre_attack_id:
   - T1098
   - T1098.003
   observable:
-  - name: userPrincipalName
+  - name: user
     type: User
     role:
     - Victim
@@ -58,7 +63,7 @@ tags:
   - Splunk Cloud
   required_fields:
   - _time
-  - properties.targetResources{}.userPrincipalName
+  - user
   - properties.targetResources{}.type
   - properties.initiatedBy.user.userPrincipalName
   - properties.result
@@ -68,6 +73,6 @@ tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.003/azure_ad_assign_privileged_role/azure-audit.log
-    source: mscs:azure:eventhub
-    sourcetype: mscs:azure:eventhub
-    update_timestamp: true
+    source: Azure AD
+    sourcetype: azure:monitor:aad
+    update_timestamp: true

detections/cloud/azure_ad_service_principal_new_client_credentials.yml

@@ -1,8 +1,8 @@
 name: Azure AD Service Principal New Client Credentials
 id: e3adc0d3-9e4b-4b5d-b662-12cec1adff2a
-version: 2
-date: '2022-08-17'
-author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
+version: 3
+date: '2024-06-25'
+author: Mauricio Velazco, Gowthamaraj Rajendran, Dean Luxton, Splunk
 status: production
 type: TTP
 description: The following analytic identifies the addition of new credentials for Service
@@ -15,15 +15,27 @@ description: The following analytic identifies the addition of new credentials f
   instances within the Azure environment. By compromising an account who is an Owner of an application
   with privileged access, attackers may also escalate their privileges in an Azure AD environment by adding new credentials and 
   logging in as the service principal.
-data_source: []
-search: ' `azuread` category=AuditLogs operationName="Update application*Certificates
-  and secrets management " | rename * as * | rename properties.* as * | rename
-  targetResources{}.* as * | stats values(displayName) as displayName by _time, initiatedBy.user.userPrincipalName,
-  modifiedProperties{}.newValue | `azure_ad_service_principal_new_client_credentials_filter`'
+data_source: 
+- Azure Active Directory
+search: ' `azure_monitor_aad`  category=AuditLogs operationName="Update application*Certificates and secrets management "
+ | rename properties.* as * 
+ | rename  targetResources{}.* as * 
+ | rename modifiedProperties{}.* as *
+ | eval src_user=coalesce(user,identity), newValue=mvfilter(newValue!="\"KeyDescription\"")
+ | stats count min(_time) as firstTime max(_time) as lastTime values(displayName) as displayName values(src_ip) as src_ip values(eval(mvfilter(oldValue!="null"))) as oldValue by src_user, object, newValue
+ | spath input=oldValue output=oldValues path={}
+ | spath input=newValue output=newValues path={}
+ | mvexpand newValues
+ | where NOT newValues IN (oldValues)
+ | fields - newValue, oldValue, oldValues
+ | rename newValues as newValue
+ | `security_content_ctime(firstTime)` 
+ | `security_content_ctime(lastTime)`
+ | `azure_ad_service_principal_new_client_credentials_filter`'
 how_to_implement: You must install the latest version of Splunk Add-on for Microsoft
   Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details).
   You must be ingesting Azure Active Directory events into your Splunk environment.
-  Specifically, this analytic leverages the SignInLogs log category.
+  This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
 known_false_positives: Service Principal client credential modifications may be part
   of legitimate administrative operations. Filter as needed.
 references:
@@ -37,22 +49,23 @@ tags:
   analytic_story:
   - Azure Active Directory Persistence
   - Azure Active Directory Privilege Escalation
+  - NOBELIUM Group
   asset_type: Azure Active Directory
   confidence: 50
   impact: 70
-  message: New credentials added for Service Principal $properties.targetResources{}.displayName$
+  message: New credentials Service Principal credentials were added to $object$ by $src_user$
   mitre_attack_id:
   - T1098
   - T1098.001
   observable:
-  - name: displayName
+  - name: src_user
     type: User
     role:
     - Victim
-  - name: initiatedBy.user.userPrincipalName
+  - name: object
     type: User
     role:
-    - Attacker
+    - Victim
   product:
   - Splunk Enterprise
   - Splunk Enterprise Security
@@ -61,15 +74,16 @@ tags:
   - _time
   - category
   - operationName
-  - properties.initiatedBy.user.userPrincipalName
+  - user
   - properties.targetResources{}.displayName
   - properties.targetResources{}.modifiedProperties{}.newValue
+  - src_ip
   risk_score: 35
   security_domain: threat
 tests:
 - name: True Positive Test
   attack_data:
   - data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1098.001/azure_ad_service_principal_credentials/azure-audit.log
-    source: mscs:azure:eventhub
-    sourcetype: mscs:azure:eventhub
-    update_timestamp: true
+    source: Azure AD
+    sourcetype: azure:monitor:aad
+    update_timestamp: true