Sample rules
TeamFiltration User-Agents Detected
- source: elastic
- technicques:
- T1069
- T1082
- T1087
- T1110
- T1201
- T1526
- T1580
- T1673
Description
Identifies potential enumeration or password spraying activity using TeamFiltration tool. TeamFiltration is an open-source enumeration, password spraying and exfiltration tool designed for Entra ID and Microsoft 365. Adversaries are known to use TeamFiltration in-the-wild to enumerate users, groups, and roles, as well as to perform password spraying attacks against Microsoft Entra ID and Microsoft 365 accounts. This rule detects the use of TeamFiltration by monitoring for specific user-agent strings associated with the tool in Azure and Microsoft 365 logs.
Detection logic
event.dataset:("azure.signinlogs" or "o365.audit")
and ((user_agent.name:"Electron" and user_agent.os.name:"Windows" and user_agent.version:"8.5.1") or
user_agent.original:"Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Teams/1.3.00.30866 Chrome/80.0.3987.165 Electron/8.5.1 Safari/537.36")
BloodHound Suite User-Agents Detected
- source: elastic
- technicques:
- T1069
- T1082
- T1087
- T1201
- T1526
- T1580
- T1673
Description
Identifies potential enumeration activity using AzureHound, SharpHound, or BloodHound across Microsoft cloud services. These tools are often used by red teamers and adversaries to map users, groups, roles, applications, and access relationships within Microsoft Entra ID (Azure AD) and Microsoft 365.
Detection logic
any where event.dataset : (
"azure.activitylogs",
"azure.graphactivitylogs",
"azure.auditlogs",
"azure.signinlogs",
"o365.audit"
) and user_agent.original regex~ "(azure|sharp|blood)(hound)/.*"