This content release contains rules mostly pertaining to Microsoft Azure OAUTH Application Registration, NSG, and Key Vault services. Pertinent to CVE-2023-38545 and CVE-2023-38546, this release also includes a new rule (FIRST-S00040 described below) to aid in detecting unusual cURL tool usage by a user as it may pertain to exploitation of these vulnerabilities.
Rules​
- [New] MATCH-S00891 Azure OAUTH Application Consent from User
- A user has consented to application permissions.
- [New] CHAIN-S00017 Change of Azure MFA Method followed by Risky SignIn
- This alert looks for an Azure MFA authentication method change, followed by a risky sign in detected by Azure within a six hour time period for the same user account.
- [New] FIRST-S00044 First Seen AppID Generating
MailIItemsAccessed Eventfrom User- This alert looks at a first seen application ID accessing an Office 365/Exchange mail box item. The
MailItemsAccessedmay not always be enabled within an Entra/Azure/Office 365 tenant and is dependent on Microsoft licensing requirements. See the following guide from CISA for additional information on this event type and investigation steps: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.
- This alert looks at a first seen application ID accessing an Office 365/Exchange mail box item. The
- [New] FIRST-S00046 First Seen Client Generating
MailIItemsAccessedEvent from User- This alert looks at a First Seen client accessing an Office 365/Exchange mail box item. The
MailItemsAccessedmay not always be enabled within an Entra/Azure/Office 365 tenant and is dependent on Microsoft licensing requirements. See the following guide from CISA for additional information on this event type and investigation steps: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-193a.
- This alert looks at a First Seen client accessing an Office 365/Exchange mail box item. The
- [New] FIRST-S00040 First Seen cURL execution from User
- First Seen execution of cURL by a user from a device. The cURL tool is designed to retrieve files using various internet protocols in a programmatic manner; it is often abused by threat actors to download various files as part of broader executions. If this usage of cURL comes from an unexpected user, it is recommended that the command line value be reviewed and the URL which was used as part of cURL command be investigated.
- [New] MATCH-S00888 Microsoft Teams External Access Enabled
- Microsoft Teams External Access has been enabled; this setting allows any users that are external to your Teams/Office organization to message users that are within your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. Microsoft Teams provides administrators the ability to allow only specific external domains to message users within the organization. Look for Office 365 events with the
MessageSentorMemberAddedevent names in order to gain more detail as to what users were invited to which Teams channels, if any.
- Microsoft Teams External Access has been enabled; this setting allows any users that are external to your Teams/Office organization to message users that are within your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. Microsoft Teams provides administrators the ability to allow only specific external domains to message users within the organization. Look for Office 365 events with the
- [New] MATCH-S00889 Microsoft Teams Guest Access Enabled
- Microsoft Teams Guest Access has been enabled globally; this setting allows any users that are external to your Teams/Office organization to be invited into your Teams/Office organization. If this setting change is unplanned or unexpected it is recommended that this activity be reviewed. MIcrosoft Teams provides administrators the ability to allow only specific guest actions to take place within the Teams/Office organization.
- [New] MATCH-S00890 Owner Added to Azure Service Principal
- An owner was added to an Azure service principal. Threat actors may add owners to Azure service principals for privilege escalation or persistence avenues. Ensure this action is expected and approved.
- [New] MATCH-S00893 Secret Added to Azure Service Principal
- Secrets can be added to Azure Service Principals as a persistence mechanism. The
properties.targetResources.1.modifiedProperties.1.newValuefield will have details regarding the secret or certificate added.
- Secrets can be added to Azure Service Principals as a persistence mechanism. The
- [New] MATCH-S00892 Value Added to Azure NSG Group
- This alert looks for a value being added to an Azure Network Security Group (NSG) successfully. Depending on the environment, other Azure services such as Azure Firewall may provide egress and ingress controls. Ensure this activity is authorized and expected. The raw data for the event contains the exact values being modified.