Techniques
Sample rules
Azure AD Privileged Graph API Permission Assigned
- source: splunk
- technicques:
- T1003.002
Description
This Splunk analytic flags the assignment of three high-risk Graph API permissions in Azure AD, Application.ReadWrite.All (1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions enable broad control over Azure AD, including application and directory settings. Utilizing azure_monitor_aad data, the query scans AuditLogs for ‘Update application’ operations, identifying when these permissions are assigned. It collects data on user, object, and user agent. Immediate attention is needed upon detection, as misuse of these permissions can lead to unauthorized Azure AD modifications and potential security breaches.
Detection logic
`azure_monitor_aad` category=AuditLogs operationName="Update application"
| eval newvalue = mvindex('properties.targetResources{}.modifiedProperties{}.newValue',0)
| spath input=newvalue
| search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
| eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId'
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, operationName
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_ad_privileged_graph_api_permission_assigned_filter`
O365 Privileged Graph API Permission Assigned
- source: splunk
- technicques:
- T1003.002
Description
This Splunk analytic detects the assignment of critical Graph API permissions in Azure AD using O365 Unified Audit Log as its data source. It focuses on three permissions, Application.ReadWrite.All (Entitlement ID 1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9), AppRoleAssignment.ReadWrite.All (06b708a9-e830-4db3-a914-8e69da51d44f), and RoleManagement.ReadWrite.Directory (9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8). These permissions, crucial for controlling Azure AD settings, pose a high risk if misused. The query monitors Azure Active Directory workload events in the Office 365 Management Activity, specifically ‘Update application’ operations. It extracts and analyzes data to spot when these permissions are granted, gathering details about the user, object, and user agent involved. Due to the significant control these permissions provide, immediate investigation is crucial upon detection to prevent unauthorized modifications.
Detection logic
`o365_management_activity` Workload=AzureActiveDirectory Operation="Update application."
| eval newvalue = mvindex('ModifiedProperties{}.NewValue',0)
| spath input=newvalue
| search "{}.RequiredAppPermissions{}.EntitlementId"="1bfefb4e-e0b5-418b-a88f-73c46d2cc8e9" OR "{}.RequiredAppPermissions{}.EntitlementId"="06b708a9-e830-4db3-a914-8e69da51d44f" OR "{}.RequiredAppPermissions{}.EntitlementId"="9e3f62cf-ca93-4989-b6ce-bf83c28f9fe8"
| eval Permissions = '{}.RequiredAppPermissions{}.EntitlementId'
| stats count earliest(_time) as firstTime latest(_time) as lastTime values(Permissions) by user, object, user_agent, Operation
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `o365_privileged_graph_api_permission_assigned_filter`