Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Adding and Updating O365 detections #2835

Closed
wants to merge 72 commits into from
Closed

Adding and Updating O365 detections #2835

wants to merge 72 commits into from

Conversation

mvelazc0
Copy link
Contributor

@mvelazc0 mvelazc0 commented Aug 31, 2023
edited

Details

What does this PR have in it? Screenshots are worth 1000 words 😄

New Analytic Stories

  • Office 365 Account Compromise
  • Office 365 Persistence Mechanisms

Removed Analytic Story

  • O365 detections

New Detections

  • O365 Service Principal New Client Credentials
  • O365 Mailbox Read Access Granted to Application
  • O365 Tenant Wide Admin Consent Granted
  • O365 Application Registration Owner Added
  • O365 Mailbox Inbox Folder Shared with All Users
  • O365 Advanced Audit Disabled
  • O365 High Number Of Failed Authentications for User
  • O365 Multiple Users Failing To Authenticate From Ip
  • O365 User Consent Blocked for Risky Application
  • O365 User Consent Denied for OAuth Application
  • O365 Mail Permissioned Application Consent Granted by User
  • O365 ApplicationImpersonation Role Assigned
  • O365 File Permissioned Application Consent Granted by User
  • O365 Multiple Failed MFA Requests For User
  • O365 High Privilege Role Granted
  • O365 New MFA Method Registered
  • O365 Multiple AppIDs and UserAgents Authentication Spike
  • O365 Block User Consent For Risky Apps Disabled
  • O365 Multi-Source Failed Authentications Spike

Updated Detections

  • High Number of Login Failures from a single source
  • O365 Add App Role Assignment Grant User
  • O365 Added Service Principal
  • O365 Bypass MFA via Trusted IP
  • O365 Disable MFA
  • O365 Excessive Authentication Failures Alert
  • O365 Excessive SSO logon errors
  • O365 New Federated Domain Added
  • O365 PST export alert
  • O365 Suspicious Admin Email Forwarding*
  • O365 Suspicious Rights Delegation
  • O365 Suspicious User Email Forwarding

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
  • CI/CD jobs passed ✔️
  • Validated SPL logic.
  • Validated tags, description, and how to implement.
  • Verified references match analytic.

patel-bhavin
patel-bhavin reviewed Sep 11, 2023
View reviewed changes
detections/cloud/o365_application_registration_owner_added.yml
`o365_management_activity` Workload=AzureActiveDirectory Operation="Add owner to application."
| eval app_id=mvindex('ModifiedProperties{}.NewValue', 0)
| eval app_displayName=mvindex('ModifiedProperties{}.NewValue', 1)
| stats max(_time) as lastTime values(ModifiedProperties{}.NewValue) by Operation, UserId, app_displayName, object
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

use CIM name for UserId in all the detections in the PR. CIM names are usually aliased by the TAs and are in lowercase format in splunk. If its not available, lets use the rename command.

@mvelazc0 mvelazc0 added the WIP DO NOT MERGE Work in Progress label Sep 25, 2023
@srv-rr-gh-researchbt
Branch was auto-updated.
1098bb9
@srv-rr-gh-researchbt
Branch was auto-updated.
4a25fb4
@mvelazc0
adding new detection
e45c03f
@mvelazc0
Merge branch 'o365_detections' of github.com:splunk/security_content …
626a64d 
…into o365_detections
@mvelazc0
adding detection
0a5803e
@mvelazc0
update detection
ba33b6c
@mvelazc0
adding 2 detections
0bee7fa
@mvelazc0
fixing detection
2a63852
@mvelazc0
updates
608f7a3
@mvelazc0
adding analytic story
1ec394f
@mvelazc0
adding detection
ee90bfa
@srv-rr-gh-researchbt
Branch was auto-updated.
85bbf0e
@mvelazc0
update detection
5717ea3
@mvelazc0
fixing error
e4cf566
@mvelazc0
adding detection
74a138e
@mvelazc0
typo
697b23f
@srv-rr-gh-researchbt
Branch was auto-updated.
dbaf43f
@srv-rr-gh-researchbt
Branch was auto-updated.
1100e9c
@mvelazc0
updating o365
ce6d21a
@mvelazc0
fix error
06ff522
@srv-rr-gh-researchbt
Branch was auto-updated.
2cbdb55
@srv-rr-gh-researchbt
Branch was auto-updated.
e0e5a3a
@mvelazc0
adding new detection
204843d
@mvelazc0
fixing yamls
3151599
@mvelazc0
changes
d463865
renaming stories
915d998
@srv-rr-gh-researchbt
Branch was auto-updated.
8dca31b
@srv-rr-gh-researchbt
Branch was auto-updated.
f1b0312
@srv-rr-gh-researchbt
Branch was auto-updated.
6beb1fd
@mvelazc0 mvelazc0 closed this Dec 11, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@patel-bhavin patel-bhavin patel-bhavin left review comments

@P4T12ICK P4T12ICK Awaiting requested review from P4T12ICK

Assignees
No one assigned
Labels
WIP DO NOT MERGE Work in Progress
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@mvelazc0 @patel-bhavin @srv-rr-gh-researchbt