Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Azure Active Directory Hybrid Health AD FS Service Delete

Back
Id86a036b2-3686-42eb-b417-909fc0867771
RulenameAzure Active Directory Hybrid Health AD FS Service Delete
DescriptionThis detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.

A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.

The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.

More information in this blog https://o365blog.com/post/hybridhealthagent/
SeverityMedium
TacticsDefenseEvasion
TechniquesT1578.003
Required data connectorsAzureActivity
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml
Version2.0.0
Arm template86a036b2-3686-42eb-b417-909fc0867771.json
Deploy To Azure
AzureActivity
| where CategoryValue == 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId contains 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid)
| extend AccountName = tostring(claimsJson.name)
| project-away claimsJson
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
  'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
  A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
  The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
  More information in this blog https://o365blog.com/post/hybridhealthagent/'  
status: Available
relevantTechniques:
- T1578.003
name: Azure Active Directory Hybrid Health AD FS Service Delete
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml
severity: Medium
triggerThreshold: 0
version: 2.0.0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tags:
- SimuLand
id: 86a036b2-3686-42eb-b417-909fc0867771
requiredDataConnectors:
- connectorId: AzureActivity
  dataTypes:
  - AzureActivity
kind: Scheduled
query: |
  AzureActivity
  | where CategoryValue == 'Administrative'
  | where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
  | where _ResourceId contains 'AdFederationService'
  | where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
  | extend claimsJson = parse_json(Claims)
  | extend AppId = tostring(claimsJson.appid)
  | extend AccountName = tostring(claimsJson.name)
  | project-away claimsJson
  | extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress  
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86a036b2-3686-42eb-b417-909fc0867771')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86a036b2-3686-42eb-b417-909fc0867771')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Azure Active Directory Hybrid Health AD FS Service Delete",
        "description": "'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nMore information in this blog https://o365blog.com/post/hybridhealthagent/'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1578.003"
        ],
        "alertRuleTemplateName": "86a036b2-3686-42eb-b417-909fc0867771",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml",
        "status": "Available",
        "tags": [
          "SimuLand"
        ],
        "templateVersion": "2.0.0"
      }
    }
  ]
}