-
Notifications
You must be signed in to change notification settings - Fork 363
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Nterl0k [T1098] - O365 Azure Workload things #2999
Nterl0k [T1098] - O365 Azure Workload things #2999
Conversation
Better User / ServicePrincipal parsing from Actor field
Better user/seviceprincipal parsing from actor field
user/servicepincipal parsing update
user/servicepincipal parsing update
user/servicepincipal parsing update
user/servicepincipal parsing update
Update for better ServicePrincipal GUID
Update for better ServicePrincipal GUID
Update for better ServicePrincipal GUID
Update for better ServicePrincipal GUID
Update for better ServicePrincipal GUID
Update for better ServicePrincipal GUID
Hey @nterl0k ! Long time no talk! Sorry for letting this sit as long as it did. We're working through the backlog now with a bit more focus and ease now that primary development has shifted back here. Summary for the commit I added:
As I'm writing this, unit testing is still running but the build steps have all passed! Hoping to get this merged for our next release! Cheers! |
That's groovy... I'll have to remember the > formatting for in the future.
I wasn't sure on the asset type so I just copied from one of the existing detections for o365..
I transfer my blame elsewhere :)
Regards,
Steven.
…-------- Original message --------
From: Lou Stella ***@***.***>
Date: 7/24/24 5:33 PM (GMT-05:00)
To: splunk/security_content ***@***.***>
Cc: Steven Dick ***@***.***>, Mention ***@***.***>
Subject: Re: [splunk/security_content] Nterl0k [T1098] - O365 Azure Workload things (PR #2999)
Hey @nterl0k<https://github.com/nterl0k> ! Long time no talk! Sorry for letting this sit as long as it did. We're working through the backlog now with a bit more focus and ease now that primary development has shifted back here.
Summary for the commit I added:
1. Build was failing due to some formatting in the search: bit for 6 detections. The second line of these all used ' single quotes around fields which appeared to close the initial quote around the full search. The solution here was adding the > bracket to force the folded style of multiline string, and then indenting each of those blocks.
2. Once those were finished, validate was able to run the actual validation checks against the rest of the fields. This raised a series of errors related to the tags.asset_type field, which we've adjusted from Office 365 to match the expected value of O365 Tenant.
As I'm writing this, unit testing is still running but the build steps have all passed! Hoping to get this merged for our next release!
Cheers!
—
Reply to this email directly, view it on GitHub<#2999 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7QYDAESG3652KD4HMTZOAK57AVCNFSM6AAAAABGFWQ2TKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDENBYHEYTMOBWGA>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
Alright, testing now passes entirely for these. Before we merge, I think we just need to tweak the lookup definition & lookup filename so that on updates of the app to the version that include this, the new lookup is put in place. Other than that, we should be set to merge. Thank you @nterl0k ! |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks again @nterl0k for this awesome contribution!
Happy to contribute... I've got more on the way, spare time has been lacking lately on my end too.
…________________________________
From: Lou Stella ***@***.***>
Sent: Thursday, July 25, 2024 10:42 AM
To: splunk/security_content ***@***.***>
Cc: Steven Dick ***@***.***>; Mention ***@***.***>
Subject: Re: [splunk/security_content] Nterl0k [T1098] - O365 Azure Workload things (PR #2999)
@ljstella approved this pull request.
[:shipit:]
Thanks again @nterl0k<https://github.com/nterl0k> for this awesome contribution!
—
Reply to this email directly, view it on GitHub<#2999 (review)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AJIYP7S7WDLBYWXSUUTEPBTZOEFGFAVCNFSM6AAAAABGFWQ2TKVHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHMZDCOJZGUYTQOJVGQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Details
This PR includes a number of detections written for the O365 Azure Active Directory workload from the universal audit log (o365 management activity). A few of the detections are 1:1 duplicates of existing ESCU content or expands coverage, only adapted for a slightly easier to access data source. Other detections are focused on monitoring sensitive changes to a number of Azure external access settings.
These detections also extract either the User Principal or Service Principal from the Actor field. Recommend profile your azure environments to populate this data into Assets and Identities.
This PR also includes a number of changes to the "lookups/privileged_azure_ad_roles" lookup and lookup definition, mainly for the purpose of including more known privileged Azure groups relevant in 2024, none of the previous groups were removed.
An additional column has been added to also include the "Template ID" for all groups, which is an immutable GUID used by MS. This GUI should allow for more accurate detections if/when Microsoft changes the string values of well-known objects. (https://learn.microsoft.com/en-us/azure/active-directory/roles/permissions-reference)
Changes to lookup should be backward compatible with existing content.
pending data PR splunk/attack_data#891
Checklist
<platform>_<mitre att&ck technique>_<short description>
nomenclature