Nterl0k [T1098] - O365 Azure Workload things

[nterl0k]

Details

This PR includes a number of detections written for the O365 Azure Active Directory workload from the universal audit log (o365 management activity). A few of the detections are 1:1 duplicates of existing ESCU content or expands coverage, only adapted for a slightly easier to access data source. Other detections are focused on monitoring sensitive changes to a number of Azure external access settings.

• O365 Privileged Role Assigned (duplicate Azure AD Privileged Role Assigned and O365 High Privilege Role Granted)
• O365 Privileged Role Assigned To Service Principal (duplicate -Azure AD Privileged Role Assigned to Service Principal)
• O365 External Guest User Invited (duplicate - Azure AD External Guest User Invited)
• O365 Cross-Tenant Access Change (New)
• O365 External Identity Policy Changed (New)
• O365 Application Available To Other Tenants (New)

These detections also extract either the User Principal or Service Principal from the Actor field. Recommend profile your azure environments to populate this data into Assets and Identities.

This PR also includes a number of changes to the "lookups/privileged_azure_ad_roles" lookup and lookup definition, mainly for the purpose of including more known privileged Azure groups relevant in 2024, none of the previous groups were removed.

An additional column has been added to also include the "Template ID" for all groups, which is an immutable GUID used by MS. This GUI should allow for more accurate detections if/when Microsoft changes the string values of well-known objects. (https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference)

Changes to lookup should be backward compatible with existing content.

pending data PR splunk/attack_data#891

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.

[ljstella]

Hey @nterl0k ! Long time no talk! Sorry for letting this sit as long as it did. We're working through the backlog now with a bit more focus and ease now that primary development has shifted back here.

Summary for the commit I added:

1. Build was failing due to some formatting in the search: bit for 6 detections. The second line of these all used ' single quotes around fields which appeared to close the initial quote around the full search. The solution here was adding the > bracket to force the folded style of multiline string, and then indenting each of those blocks.
2. Once those were finished, validate was able to run the actual validation checks against the rest of the fields. This raised a series of errors related to the tags.asset_type field, which we've adjusted from Office 365 to match the expected value of O365 Tenant.

As I'm writing this, unit testing is still running but the build steps have all passed! Hoping to get this merged for our next release!

Cheers!

[nterl0k]

That's groovy... I'll have to remember the > formatting for in the future. I wasn't sure on the asset type so I just copied from one of the existing detections for o365.. I transfer my blame elsewhere :) Regards, Steven.

…

-------- Original message -------- From: Lou Stella ***@***.***> Date: 7/24/24 5:33 PM (GMT-05:00) To: splunk/security_content ***@***.***> Cc: Steven Dick ***@***.***>, Mention ***@***.***> Subject: Re: [splunk/security_content] Nterl0k [T1098] - O365 Azure Workload things (PR #2999) Hey @nterl0k<https://github.com/nterl0k> ! Long time no talk! Sorry for letting this sit as long as it did. We're working through the backlog now with a bit more focus and ease now that primary development has shifted back here. Summary for the commit I added: 1. Build was failing due to some formatting in the search: bit for 6 detections. The second line of these all used ' single quotes around fields which appeared to close the initial quote around the full search. The solution here was adding the > bracket to force the folded style of multiline string, and then indenting each of those blocks. 2. Once those were finished, validate was able to run the actual validation checks against the rest of the fields. This raised a series of errors related to the tags.asset_type field, which we've adjusted from Office 365 to match the expected value of O365 Tenant. As I'm writing this, unit testing is still running but the build steps have all passed! Hoping to get this merged for our next release! Cheers! — Reply to this email directly, view it on GitHub<#2999 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7QYDAESG3652KD4HMTZOAK57AVCNFSM6AAAAABGFWQ2TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBYHEYTMOBWGA>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[ljstella]

Alright, testing now passes entirely for these. Before we merge, I think we just need to tweak the lookup definition & lookup filename so that on updates of the app to the version that include this, the new lookup is put in place. Other than that, we should be set to merge. Thank you @nterl0k !

[ljstella]

Thanks again @nterl0k for this awesome contribution!

[nterl0k]

Happy to contribute... I've got more on the way, spare time has been lacking lately on my end too.

…

________________________________ From: Lou Stella ***@***.***> Sent: Thursday, July 25, 2024 10:42 AM To: splunk/security_content ***@***.***> Cc: Steven Dick ***@***.***>; Mention ***@***.***> Subject: Re: [splunk/security_content] Nterl0k [T1098] - O365 Azure Workload things (PR #2999) @ljstella approved this pull request. [:shipit:] Thanks again @nterl0k<https://github.com/nterl0k> for this awesome contribution! — Reply to this email directly, view it on GitHub<#2999 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7S7WDLBYWXSUUTEPBTZOEFGFAVCNFSM6AAAAABGFWQ2TKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCOJZGUYTQOJVGQ>. You are receiving this because you were mentioned.Message ID: ***@***.***>

[ljstella]