/
azure_ad_service_principal_authentication.yml
64 lines (64 loc) · 3.1 KB
/
azure_ad_service_principal_authentication.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
name: Azure AD Service Principal Authentication
id: 5a2ec401-60bb-474e-b936-1e66e7aa4060
version: 1
date: '2024-02-12'
author: Mauricio Velazco, Splunk
data_source:
- Azure Active Directory Sign-in activity
type: TTP
status: production
description: Monitoring service principal authentication events in Azure Active Directory is crucial, but to effectively leverage this detection, teams should first conduct a thorough inventory of all service principals and their source IPs to establish a baseline of normal behavior. The detection, using azure_monitor_aad, specifically targets "Sign-in activity" within ServicePrincipalSignInLogs, gathering key details like sign-in frequency, timing, source IPs, and accessed resources. This baseline is essential for SOC teams to distinguish between regular application authentication and anomalous patterns that might suggest compromised credentials or malicious activities.
search: ' `azure_monitor_aad` operationName="Sign-in activity" category=ServicePrincipalSignInLogs
| rename properties.* as *
| stats count earliest(_time) as firstTime latest(_time) as lastTime by user, user_id, src_ip, resourceDisplayName, resourceId
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_service_principal_authentication_filter`'
how_to_implement: You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub.
This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.
known_false_positives: Service Principals will legitimally authenticate remotely to your tenant. Implementing this detection after establishing a baseline enables a more accurate identification of security threats, ensuring proactive and informed responses to safeguard the Azure AD environment.
source ips.
references:
- https://attack.mitre.org/techniques/T1078/004/
- https://learn.microsoft.com/en-us/entra/identity/monitoring-health/concept-sign-ins#service-principal-sign-ins
tags:
analytic_story:
- Azure Active Directory Account Takeover
- NOBELIUM Group
asset_type: Azure Active Directory
confidence: 50
impact: 50
message: Service Principal $user$ authenticated from $src_ip$
mitre_attack_id:
- T1078.004
observable:
- name: src_ip
type: IP Address
role:
- Attacker
- name: user
type: User
role:
- Victim
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
required_fields:
- _time
- operationName
- category
- properties.resourceDisplayName
- properties.resourceId
- user
- src_ip
- user_id
risk_score: 25
security_domain: identity
tests:
- name: True Positive Test
attack_data:
- data: https://media.githubusercontent.com/media/splunk/attack_data/master/datasets/attack_techniques/T1078.004/azure_ad_service_principal_authentication/azure_ad_service_principal_authentication.log
source: Azure AD
sourcetype: azure:monitor:aad
update_timestamp: true