Techniques
Sample rules
Azure Subscription Permission Elevation Via ActivityLogs
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn’t planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Detection logic
condition: selection
selection:
operationName: MICROSOFT.AUTHORIZATION/ELEVATEACCESS/ACTION
Azure AD Only Single Factor Authentication Required
- source: sigma
- technicques:
- t1078
- t1078.004
- t1556
- t1556.006
Description
Detect when users are authenticating without MFA being required.
Detection logic
condition: selection
selection:
AuthenticationRequirement: singleFactorAuthentication
Status: Success
Authentications To Important Apps Using Single Factor Authentication
- source: sigma
- technicques:
- t1078
Description
Detect when authentications to important application(s) only required single-factor authentication
Detection logic
condition: selection
selection:
AppId: Insert Application ID use OR for multiple
AuthenticationRequirement: singleFactorAuthentication
Status: Success
Successful Authentications From Countries You Do Not Operate Out Of
- source: sigma
- technicques:
- t1078
- t1078.004
- t1110
Description
Detect successful authentications from countries you do not operate out of.
Detection logic
condition: selection and not filter
filter:
Location|contains: <Countries you DO operate out of e,g GB, use OR for multiple>
selection:
Status: Success
Users Authenticating To Other Azure AD Tenants
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.
Detection logic
condition: selection and not filter
filter:
ResourceTenantId|contains: HomeTenantID
selection:
HomeTenantId: HomeTenantID
Status: Success
Failed Authentications From Countries You Do Not Operate Out Of
- source: sigma
- technicques:
- t1078
- t1078.004
- t1110
Description
Detect failed authentications from countries you do not operate out of.
Detection logic
condition: not selection and not selection1
selection:
Status: Success
selection1:
Location|contains: <Countries you DO operate out of e,g GB, use OR for multiple>
User State Changed From Guest To Member
- source: sigma
- technicques:
- t1078
- t1078.004
Description
Detects the change of user type from “Guest” to “Member” for potential elevation of privilege.
Detection logic
condition: selection
selection:
Category: UserManagement
OperationName: Update user
properties.message: '"displayName":"UserType","oldValue":"[\"Guest\"]","newValue":"[\"Member\"]"'
Azure Subscription Permission Elevation Via AuditLogs
- source: sigma
- technicques:
- t1078
Description
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn’t planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Detection logic
condition: selection
selection:
Category: Administrative
OperationName: Assigns the caller to user access admin
Guest Users Invited To Tenant By Non Approved Inviters
- source: sigma
- technicques:
- t1078
Description
Detects guest users being invited to tenant by non-approved inviters
Detection logic
condition: selection and not filter
filter:
InitiatedBy|contains: <approved guest inviter use OR for multiple>
selection:
Category: UserManagement
OperationName: Invite external user