forked from splunk/security_content
-
Notifications
You must be signed in to change notification settings - Fork 0
/
azure_active_directory_persistence.yml
28 lines (27 loc) · 1.66 KB
/
azure_active_directory_persistence.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
name: Azure Active Directory Persistence
id: dca983db-6334-4a0d-be32-80611ca1396c
version: 1
date: '2022-08-17'
author: Mauricio Velazco, Splunk
description: Monitor for activities and techniques associated with the execution of Persistence
techniques against Azure Active Directory tenants.
narrative: 'Azure Active Directory (Azure AD) is Microsofts enterprise cloud-based identity and access management (IAM) service. Azure AD is the backbone of most of Azure
services like Office 365. It can sync with on-premise Active Directory environments and provide authentication to other cloud-based systems via the OAuth protocol.
According to Microsoft, Azure AD manages more than 1.2 billion identities and processes over 8 billion authentications per day.
Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.
This analytic storic groups detections that can help security operations teams identify the potential execution of Persistence techniques targeting Azure Active Directory tenants.
'
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-whatis
- https://azure.microsoft.com/en-us/services/active-directory/#overview
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/active-directory-compare-azure-ad-to-ad
- https://attack.mitre.org/tactics/TA0003/
- https://microsoft.github.io/Azure-Threat-Research-Matrix/Persistence/Persistence/
tags:
category:
- Cloud Security
product:
- Splunk Enterprise
- Splunk Enterprise Security
- Splunk Cloud
usecase: Advanced Threat Detection