Add Azure AD Entra ID identity attack detections (3 analytics)#4091
Open
descambiado wants to merge 3 commits into
Open
Add Azure AD Entra ID identity attack detections (3 analytics)#4091descambiado wants to merge 3 commits into
descambiado wants to merge 3 commits into
Conversation
Detects TAP creation for Azure AD users via AuditLogs. TAPs bypass all authentication requirements including MFA and FIDO2. Covers T1556.006 and T1078.004.
Detects UserType property changes from Guest to Member in Azure AD via Update user AuditLogs. Uses mvfind/mvindex to filter modifiedProperties. Covers T1098.
Detects federated credential additions to service principals via Update service principal AuditLogs. Workload identity federation enables secretless external OIDC authentication as the SP. Covers T1098.001.
descambiado
requested review from
ljstella,
nasbench and
patel-bhavin
as code owners
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Details
Three new TTP analytics covering Azure AD / Entra ID identity attack techniques that are not currently in the repository.
azure_ad_temporary_access_pass_created.ymlDetects creation of a Temporary Access Pass for an Azure AD user via the
Create Temporary Access Pass method for userAuditLog operation. TAPs are time-limited passcodes that bypass MFA and FIDO2 — an attacker who gains admin access and creates a TAP for a target account can authenticate without any second factor. Covers T1556.006, T1078.004. Risk score 70 on targetUser.azure_ad_guest_user_type_changed_to_member.ymlDetects when a guest account's UserType property is changed to Member via
Update user. Usesmvfind/mvindexto filter on theUserTypemodifiedProperty, consistent with the pattern used inazure_ad_block_user_consent_for_risky_apps_disabled. Removing guest restrictions gives a compromised external identity broader access to tenant resources. Covers T1098.azure_ad_federated_identity_credential_added_to_sp.ymlDetects federated identity credential additions to service principals via
Update service principalwhereFederatedIdentityCredentialsappears in modifiedProperties. Workload identity federation allows external OIDC workloads (GitHub Actions, Kubernetes) to authenticate as the SP without a secret — an attacker who adds a federated credential pointing to a controlled OIDC issuer gains a persistent secretless authentication path invisible to standard credential monitoring. Covers T1098.001.Checklist
<platform>_<mitre att&ck technique>_<short description>nomenclature (azure_ad prefix, descriptive name consistent with existing detections)Notes For Submitters and Reviewers
CLA: I have not yet signed the Splunk individual contributors agreement. I will complete this at https://www.splunk.com/goto/individualcontributions before this PR is reviewed.
Attack data: Test data files for these three techniques do not yet exist in splunk/attack_data. The
tests.attack_dataURLs follow the established naming pattern but point to datasets that need to be contributed separately. Happy to contribute the attack data in a follow-up PR to splunk/attack_data once the detection logic is reviewed and approved.SPL pattern: The
azure_ad_guest_user_type_changed_to_memberandazure_ad_federated_identity_credential_added_to_spanalytics use themvfind/mvindexpattern formodifiedPropertiesarray filtering, consistent withazure_ad_block_user_consent_for_risky_apps_disabled.