Azure Active Directory Hybrid Health AD FS Service Delete
| Id | 86a036b2-3686-42eb-b417-909fc0867771 |
| Rulename | Azure Active Directory Hybrid Health AD FS Service Delete |
| Description | This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure. More information in this blog https://o365blog.com/post/hybridhealthagent/ |
| Severity | Medium |
| Tactics | DefenseEvasion |
| Techniques | T1578.003 |
| Required data connectors | AzureActivity |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml |
| Version | 2.0.0 |
| Arm template | 86a036b2-3686-42eb-b417-909fc0867771.json |
AzureActivity
| where CategoryValue == 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId contains 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid)
| extend AccountName = tostring(claimsJson.name)
| project-away claimsJson
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.
A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.
The health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.
More information in this blog https://o365blog.com/post/hybridhealthagent/'
status: Available
relevantTechniques:
- T1578.003
name: Azure Active Directory Hybrid Health AD FS Service Delete
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml
severity: Medium
triggerThreshold: 0
version: 2.0.0
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
tags:
- SimuLand
id: 86a036b2-3686-42eb-b417-909fc0867771
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
kind: Scheduled
query: |
AzureActivity
| where CategoryValue == 'Administrative'
| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'
| where _ResourceId contains 'AdFederationService'
| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'
| extend claimsJson = parse_json(Claims)
| extend AppId = tostring(claimsJson.appid)
| extend AccountName = tostring(claimsJson.name)
| project-away claimsJson
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/86a036b2-3686-42eb-b417-909fc0867771')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/86a036b2-3686-42eb-b417-909fc0867771')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Azure Active Directory Hybrid Health AD FS Service Delete",
"description": "'This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Azure AD Hybrid health AD FS service instance in a tenant.\nA threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs.\nThe health AD FS service can then be deleted after it is not longer needed via HTTP requests to Azure.\nMore information in this blog https://o365blog.com/post/hybridhealthagent/'\n",
"severity": "Medium",
"enabled": true,
"query": "AzureActivity\n| where CategoryValue == 'Administrative'\n| where ResourceProviderValue =~ 'Microsoft.ADHybridHealthService'\n| where _ResourceId contains 'AdFederationService'\n| where OperationNameValue =~ 'Microsoft.ADHybridHealthService/services/delete'\n| extend claimsJson = parse_json(Claims)\n| extend AppId = tostring(claimsJson.appid)\n| extend AccountName = tostring(claimsJson.name)\n| project-away claimsJson\n| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1578.003"
],
"alertRuleTemplateName": "86a036b2-3686-42eb-b417-909fc0867771",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Activity/Analytic Rules/AADHybridHealthADFSServiceDelete.yaml",
"status": "Available",
"tags": [
"SimuLand"
],
"templateVersion": "2.0.0"
}
}
]
}