-
Notifications
You must be signed in to change notification settings - Fork 644
Expand file tree
/
Copy pathcredential_access_entra_id_risk_detection_signal.toml
More file actions
89 lines (77 loc) · 2.77 KB
/
credential_access_entra_id_risk_detection_signal.toml
File metadata and controls
89 lines (77 loc) · 2.77 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
[metadata]
bypass_bbr_timing = true
creation_date = "2026/02/20"
integration = ["o365"]
maturity = "production"
updated_date = "2026/03/24"
[rule]
author = ["Elastic"]
building_block_type = "default"
description = """
Identifies Microsoft Entra ID (formerly Azure AD) risk detection signals including risky sign-ins, compromised
credentials, impossible travel, and other identity-based anomalies. These events indicate potential credential
compromise, account takeover attempts, or suspicious authentication patterns detected by Microsoft's identity
protection. This building block rule generates security events for correlation, threat hunting, and telemetry
collection to support detection of credential access and initial access attempts.
"""
from = "now-9m"
index = ["logs-o365.audit-*", "filebeat-*"]
language = "kuery"
license = "Elastic License v2"
name = "M365 Entra ID Risk Detection Signal"
references = [
"https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks",
"https://learn.microsoft.com/en-us/office/office-365-management-api/office-365-management-activity-api-schema#enum-auditlogrecordtype---type-edmint32",
]
risk_score = 21
rule_id = "cccc9be5-d8b0-466e-8a37-617eae57351a"
setup = """### Additional notes
For information on troubleshooting the maximum alerts warning please refer to this [guide](https://www.elastic.co/guide/en/security/current/alerts-ui-monitor.html#troubleshoot-max-alerts).
"""
severity = "low"
tags = [
"Domain: Cloud",
"Domain: SaaS",
"Data Source: Microsoft 365",
"Data Source: Microsoft 365 Audit Logs",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Protection",
"Use Case: Threat Detection",
"Use Case: Identity Threat Detection",
"Tactic: Credential Access",
"Tactic: Initial Access",
"Rule Type: BBR",
]
timestamp_override = "event.ingested"
type = "query"
query = '''
event.dataset:o365.audit and event.code:AadRiskDetection
'''
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1110"
name = "Brute Force"
reference = "https://attack.mitre.org/techniques/T1110/"
[[rule.threat.technique.subtechnique]]
id = "T1110.003"
name = "Password Spraying"
reference = "https://attack.mitre.org/techniques/T1110/003/"
[rule.threat.tactic]
id = "TA0006"
name = "Credential Access"
reference = "https://attack.mitre.org/tactics/TA0006/"
[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"
[[rule.threat.technique.subtechnique]]
id = "T1078.004"
name = "Cloud Accounts"
reference = "https://attack.mitre.org/techniques/T1078/004/"
[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"