Back Id 5f0d80db-3415-4265-9d52-8466b7372e3a Rulename Azure DevOps PAT used with Browser Description Personal Access Tokens (PATs) are used as an alternate password to authenticate into Azure DevOps. PATs are intended for programmatic access use in code or applications. This can be prone to attacker theft if not adequately secured. This query looks for the use of a PAT in authentication but from a User Agent indicating a browser. This should not be normal activity and could be an indicator of an attacker using a stolen PAT.
Back Id 0820da12-e895-417f-9175-7c256fcfb33e Rulename Dataverse - Anomalous application user activity Description Identifies anomalies in activity patterns of Dataverse application (non-interactive) users, based on activity falling outside the normal pattern of use. Severity Medium Tactics CredentialAccess
Execution
Persistence Techniques T1528
T1569
T0871
T0834
T0859 Required data connectors Dataverse Kind Scheduled Query frequency 5h Query period 14d Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/Dataverse - Anomalous application user activity.
Back Id 433c3b0a-7278-4d74-b137-963ac6f9a7e7 Rulename Expired access credentials being used in Azure Description This query searches for logins with an expired access credential (for example an expired cookie). It then matches the IP address from which the expired credential access occurred with the IP addresses of successful logins.
If there are logins with expired credentials, but no successful logins from an IP, this might indicate an attacker has copied the authentication cookie and is re-using it on another machine.
Back Id 813ccf3b-0321-4622-b0bc-63518fd14454 Rulename Identify instances where a single source is observed using multiple user agents (ASIM Web Session) Description This detection mechanism identifies requests originating from a single source within a brief time period that exhibit multiple user agents. Such behavior could indicate unusual web browsing activities performed by unconventional processes Severity Medium Tactics InitialAccess
CredentialAccess Techniques T1190
T1133
T1528 Kind Scheduled Query frequency 1h Query period 1h Trigger threshold 0 Trigger operator gt Source Uri https://github.
Back Id d9938c3b-16f9-444d-bc22-ea9a9110e0fd Rulename Microsoft Entra ID Hybrid Health AD FS Suspicious Application Description This detection uses AzureActivity logs (Administrative category) to identify a suspicious application adding a server instance to an Microsoft Entra ID Hybrid Health AD FS service or deleting the AD FS service instance.
Usually the Microsoft Entra ID Connect Health Agent application with ID cf6d7e68-f018-4e0a-a7b3-126e053fb88d and ID cb1056e2-e479-49de-ae31-7812af012ed8 is used to perform those operations. Severity Medium Tactics CredentialAccess
Back Id 3533f74c-9207-4047-96e2-0eb9383be587 Rulename Suspicious application consent for offline access Description This will alert when a user consents to provide a previously-unknown Azure application with offline access via OAuth.
Offline access will provide the Azure App with access to the listed resources without requiring two-factor authentication.
Consent to applications with offline access and read capabilities should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!
Back Id f948a32f-226c-4116-bddd-d95e91d97eb9 Rulename Suspicious application consent similar to O365 Attack Toolkit Description This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the MDSec O365 Attack Toolkit (https://github.com/mdsecactivebreach/o365-attack-toolkit).
The default permissions/scope for the MDSec O365 Attack toolkit change sometimes but often include contacts.read, user.read, mail.read, notes.read.all, mailboxsettings.readwrite, files.readwrite.all, mail.send, files.read, and files.read.all.
Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded, especially as the knownApplications list is expanded.
Back Id 39198934-62a0-4781-8416-a81265c03fd6 Rulename Suspicious application consent similar to PwnAuth Description This will alert when a user consents to provide a previously-unknown Azure application with the same OAuth permissions used by the FireEye PwnAuth toolkit (https://github.com/fireeye/PwnAuth).
The default permissions/scope for the PwnAuth toolkit are user.read, offline_access, mail.readwrite, mail.send, and files.read.all.
Consent to applications with these permissions should be rare, especially as the knownApplications list is expanded. Public contributions to expand this filter are welcome!
Back Id 3a3c6835-0086-40ca-b033-a93bf26d878f Rulename Suspicious Entra ID Joined Device Update Description This query looks for suspicious updates to an Microsoft Entra ID joined device where the device name is changed and the device falls out of compliance.
This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.
Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf Severity Medium Tactics CredentialAccess Techniques T1528 Required data connectors AzureActiveDirectory Kind Scheduled Query frequency 1d Query period 1d Trigger threshold 0 Trigger operator gt Source Uri https://github.
