Azure DevOps Agent Pool Created Then Deleted

Back Id acfdee3f-b794-404a-aeba-ef6a1fa08ad1 Rulename Azure DevOps Agent Pool Created Then Deleted Description As well as adding build agents to an existing pool to execute malicious activity within a pipeline, an attacker could create a complete new agent pool and use this for execution. Azure DevOps allows for the creation of agent pools with Azure hosted infrastructure or self-hosted infrastructure. Given the additional customizability of self-hosted agents this detection focuses on the creation of new self-hosted pools.

Read full post

Azure DevOps Build Variable Modified by New User

Back Id 3b9a44d7-c651-45ed-816c-eae583a6f2f1 Rulename Azure DevOps Build Variable Modified by New User Description Variables can be configured and used at any stage of the build process in Azure DevOps to inject values. An attacker with the required permissions could modify or add to these variables to conduct malicious activity such as changing paths or remote endpoints called during the build. As variables are often changed by users, just detecting these changes would have a high false positive rate.

Read full post

Azure DevOps Pipeline modified by a new user

Back Id 155e9134-d5ad-4a6f-88f3-99c220040b66 Rulename Azure DevOps Pipeline modified by a new user Description There are several potential pipeline steps that could be modified by an attacker to inject malicious code into the build cycle. A likely attacker path is the modification to an existing pipeline that they have access to. This detection looks for users modifying a pipeline when they have not previously been observed modifying or creating that pipeline before.

Read full post

Commvault Cloud Alert

Back Id 317e757e-c320-448e-8837-fc61a70fe609 Rulename Commvault Cloud Alert Description This query identifies Alerts from Commvault Cloud. Severity Medium Tactics DefenseEvasion Impact Techniques T1578 T1531 Required data connectors CommvaultSecurityIQ_CL Kind Scheduled Query frequency 5m Query period 5m Trigger threshold 0 Trigger operator gt Source Uri https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Commvault Security IQ/Analytic Rules/CommvaultSecurityIQ_Alert.yaml Version 1.0.3 Arm template 317e757e-c320-448e-8837-fc61a70fe609.json KQL CommvaultSecurityIQ_CL | where strlen( originating_client_s ) > 0 | take 1000 YAML queryPeriod: 5m status: Available severity: Medium customDetails: User: username_s Client: originating_client_s query: | CommvaultSecurityIQ_CL | where strlen( originating_client_s ) > 0 | take 1000 tags: - Commvault - Metallic - Threat Intelligence - Ransomware id: 317e757e-c320-448e-8837-fc61a70fe609 OriginalUri: https://github.

Read full post

Creation of expensive computes in Azure

Back Id 9736e5f1-7b6e-4bfb-a708-e53ff1d182c3 Rulename Creation of expensive computes in Azure Description Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Severity Low Tactics DefenseEvasion Techniques T1578 Required data connectors AzureActivity Kind Scheduled Query frequency 1d Query period 1d Trigger threshold 1 Trigger operator gt Source Uri https://github.

Read full post

Microsoft Entra ID Hybrid Health AD FS New Server

Back Id 88f453ff-7b9e-45bb-8c12-4058ca5e44ee Rulename Microsoft Entra ID Hybrid Health AD FS New Server Description This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.

Read full post

Microsoft Entra ID Hybrid Health AD FS Service Delete

Back Id 86a036b2-3686-42eb-b417-909fc0867771 Rulename Microsoft Entra ID Hybrid Health AD FS Service Delete Description This detection uses AzureActivity logs (Administrative category) to identify the deletion of an Microsoft Entra ID Hybrid Health AD FS service instance in a tenant. A threat actor can create a new AD Health ADFS service and create a fake server to spoof AD FS signing logs. The health AD FS service can then be deleted after it is no longer needed via HTTP requests to Azure.

Read full post

NRT Creation of expensive computes in Azure

Back Id 56fe0db0-6779-46fa-b3c5-006082a53064 Rulename NRT Creation of expensive computes in Azure Description Identifies the creation of large size or expensive VMs (with GPUs or with a large number of virtual CPUs) in Azure. An adversary may create new or update existing virtual machines to evade defenses or use them for cryptomining purposes. For Windows/Linux Vm Sizes, see https://docs.microsoft.com/azure/virtual-machines/windows/sizes Azure VM Naming Conventions, see https://docs.microsoft.com/azure/virtual-machines/vm-naming-conventions Severity Medium Tactics DefenseEvasion Techniques T1578 Required data connectors AzureActivity Kind NRT Source Uri https://github.

Read full post

NRT Microsoft Entra ID Hybrid Health AD FS New Server

Back Id ec491363-5fe7-4eff-b68e-f42dcb76fcf6 Rulename NRT Microsoft Entra ID Hybrid Health AD FS New Server Description This detection uses AzureActivity logs (Administrative category) to identify the creation or update of a server instance in an Microsoft Entra ID Hybrid Health AD FS service. A threat actor can create a new AD Health ADFS service and create a fake server instance to spoof AD FS signing logs. There is no need to compromise an on-premises AD FS server.

Read full post