微软sentinel中fuison 关联分析检测多步攻击——场景非常细致，看来微软这块做得还是扎实的

From：https://docs.microsoft.com/en-us/azure/sentinel/fusion

Azure Sentinel中的高级多级攻击检测

05/05/2021
一些融合探测（见下文所述）目前正在预览中。
通过使用基于机器学习的融合技术，Azure Sentinel可以通过识别在杀伤链的各个阶段观察到的异常行为和可疑活动的组合来自动检测多级攻击。在这些发现的基础上，Azure Sentinel产生了一些原本很难捕捉到的事件。这些事件包括两个或多个警报或活动。根据设计，这些事件具有低容量、高保真度和高严重性。

此检测技术专为您的环境定制，不仅可以降低误报率，还可以检测信息有限或丢失的攻击。

高级多级攻击检测配置...

Fusion可以使用一组定时分析规则生成的警报来检测多阶段攻击。

在模板库中单击规则名称，然后在预览窗格中单击创建规则：==>我晕，就是关联规则嘛，整这么复杂！！！

Cisco-防火墙阻止但成功登录到Azure AD

Fortinet-检测到信标模式

多个Azure AD登录失败的IP成功登录到Palo Alto VPN

用户重置多个密码

新的管理帐户活动以前从未见过

罕见申请同意书

通过以前看不到的IP执行SharePointFileOperation

可疑资源部署

由于融合基于实体（如用户帐户或IP地址）关联警报，ML算法无法在没有实体信息的情况下执行警报匹配。

Fusion-ML算法使用MITRE-ATT&CK策略信息来检测多阶段攻击，并且您标记分析规则的策略将显示在结果事件中。如果传入警报缺少战术信息，则融合计算可能会受到影响。

根据需要调整警报阈值。Fusion根据计划分析规则发出的警报生成事件。如果要减少特定分析规则的融合事件数，请根据需要调整警报阈值。如果您不想接收任何基于特定分析规则的事件，也可以禁用该规则。

攻击检测场景

下一节列出了Azure Sentinel使用融合技术寻找的相关场景的类型，这些场景按威胁分类进行分组。

如上所述，由于Fusion将来自不同产品的多个安全警报关联起来以检测高级多级攻击，因此成功的Fusion检测将在Azure Sentinel事件页上显示为Fusion事件，而不是在日志的安全警报表中显示为警报。==》区分了关联规则事件，和单一事件！！！

为了启用这些融合攻击检测场景，必须使用相关的Azure Sentinel数据连接器接收列出的任何数据源。
计算资源滥用

可疑的Azure Active Directory登录后发生多个VM创建活动

斜接战术：初始进入，影响

MITRE ATT&CK技术：有效帐户（T1078），资源劫持（T1496）

数据连接器来源：Microsoft云应用安全、Azure Active Directory身份保护

描述：此类型的融合事件表示在一个会话中，在可疑登录到Azure AD帐户后创建了异常数量的虚拟机。此类型的警报高度可信地表示，Fusion事件描述中指出的帐户已被泄露，并用于创建新的虚拟机，用于未经授权的目的，例如运行加密挖掘操作。可疑Azure AD登录警报与多个VM创建活动警报的排列如下：

不可能到达一个非典型位置，导致多个VM创建活动

来自陌生位置的登录事件导致多个VM创建活动

来自受感染设备的登录事件导致多个VM创建活动

从导致多个VM创建活动的匿名IP地址登录事件

来自具有泄漏凭据的用户的登录事件导致多个VM创建活动

 

凭证访问

（新威胁分类）

新的！可疑登录后用户重置多个密码

此场景使用由计划分析规则生成的警报。

MITRE ATT&CK策略：初始访问、凭证访问

斜接攻击技术：有效帐户（T1078），暴力（T1110）

数据连接器源：Azure Sentinel（计划分析规则）、Azure Active Directory身份保护

描述：此类型的融合事件表示用户在可疑登录到Azure AD帐户后重置多个密码。这一证据表明，Fusion事件描述中提到的帐户已被泄露，用于执行多次密码重置，以便访问多个系统和资源。帐户操作（包括密码重置）可以帮助对手在环境中

保持对凭据和某些权限级别的访问。具有多个密码重置警报的可疑Azure AD登录警报排列如下：

不可能到达一个非典型位置导致多个密码重置

从陌生位置登录事件导致多个密码重置

来自受感染设备的登录事件导致多个密码重置

来自匿名IP的登录事件导致多个密码重置

来自具有泄漏凭据的用户的登录事件导致多个密码重置

新的！可疑的登录与通过IP成功登录Palo Alto VPN的同时出现多个失败的Azure AD登录

此场景使用由计划分析规则生成的警报。

MITRE ATT&CK策略：初始访问、凭证访问

斜接攻击技术：有效帐户（T1078），暴力（T1110）

数据连接器源：Azure Sentinel（计划分析规则）、Azure Active Directory身份保护

描述：此类型的融合事件表示，对Azure AD帐户的可疑登录与通过Palo Alto VPN从IP地址成功登录的同时，在类似的时间范围内，从该IP地址发生了多个失败的Azure AD登录。虽然没有多级攻击的证据，但这两个低保真度警报的关联会导致高保真度事件，表明恶意初始访问组织的网络。或者，这可能表示攻击者试图使用暴力技术访问Azure AD帐户。可疑的Azure AD登录警报与“IP with multiple failed Azure AD logins successfully login to Palo Alto VPN”警报的排列如下：

无法前往与IP重合的非典型位置，多次失败的Azure AD登录成功登录到Palo Alto VPN

来自与IP重合的陌生位置的登录事件，多次失败的Azure AD登录成功登录到Palo Alto VPN

来自与IP一致的受感染设备的登录事件，多次失败的Azure AD登录成功登录到Palo Alto VPN

来自匿名IP的登录事件与多个Azure AD登录失败的IP一致成功登录到Palo Alto VPN

来自用户的登录事件，泄漏的凭据与IP一致，多次失败的Azure AD登录成功登录到Palo Alto VPN

凭证获取

（新威胁分类）

可疑登录后执行恶意凭证盗窃工具

MITRE ATT&CK策略：初始访问、凭证访问

MITRE ATT&CK技术：有效帐户（T1078），操作系统凭证转储（T1003）

数据连接器源：Azure Active Directory身份保护、Microsoft Defender for Endpoint

描述：此类型的融合事件表示在可疑的Azure AD登录之后执行了已知的凭据盗窃工具。这一证据高度肯定地表明，警报描述中指出的用户帐户已被泄露，可能已成功使用类似Mimikatz的工具从系统中获取密钥、明文密码和/或密码哈希等凭据。获取的凭据可能允许攻击者访问敏感数据、提升权限和/或在网络上横向移动。可疑Azure AD登录警报与恶意凭据盗窃工具警报的排列如下：

无法移动到非典型位置导致恶意凭证盗窃工具执行

来自陌生位置的登录事件导致恶意凭据盗窃工具执行

来自受感染设备的登录事件导致恶意凭据盗窃工具执行

来自匿名IP地址的登录事件导致执行恶意凭据盗窃工具

来自具有泄漏凭据的用户的登录事件导致恶意凭据盗窃工具执行

可疑登录后的可疑凭证盗窃活动

MITRE ATT&CK策略：初始访问、凭证访问

MITRE ATT&CK技术：有效帐户（T1078）、来自密码存储的凭据（T1555）、OS凭据转储（T1003）

数据连接器源：Azure Active Directory身份保护、Microsoft Defender for Endpoint

描述：此类型的融合事件表示与凭据盗窃模式相关的活动发生在可疑的Azure AD登录之后。这一证据高度肯定地表明，警报描述中指出的用户帐户已被泄露，并用于窃取密钥、纯文本密码、密码哈希等凭据。窃取的凭据可能使攻击者能够访问敏感数据、提升权限和/或在网络上横向移动。可疑Azure AD登录警报与凭证盗窃活动警报的排列如下：

无法前往非典型地点导致可疑的证件盗窃活动

从陌生位置登录事件导致可疑的凭证盗窃活动

来自受感染设备的登录事件导致可疑的凭据盗窃活动

从匿名IP地址登录事件导致可疑的凭据盗窃活动

来自具有泄漏凭据的用户的登录事件导致可疑的凭据盗窃活动

加密采矿

（新威胁分类）

可疑登录后的加密挖掘活动

MITRE ATT&CK策略：初始访问、凭证访问

MITRE ATT&CK技术：有效帐户（T1078），资源劫持（T1496）

数据连接器源：Azure Active Directory身份保护、Azure Defender（Azure安全中心）

描述：此类型的融合事件表示与可疑登录Azure AD帐户相关的加密挖掘活动。这一证据高度肯定地表明，警报描述中指出的用户帐户已被泄露，并被用于劫持您环境中的资源以挖掘加密货币。这可能会耗尽您的计算能力资源和/或导致显著高于预期的云使用费用。可疑Azure AD登录警报与加密挖掘活动警报的排列如下：

无法前往导致加密采矿活动的非典型地点

从陌生位置登录事件导致加密挖掘活动

来自受感染设备的登录事件导致加密挖掘活动

来自导致加密挖掘活动的匿名IP地址的登录事件

来自具有泄漏凭据的用户的登录事件导致加密挖掘活动

数据销毁

在可疑的Azure AD登录后删除大量文件

斜接战术：初始进入，影响

MITRE ATT&CK技术：有效账户（T1078），数据销毁（T1485）

数据连接器来源：Microsoft云应用安全、Azure Active Directory身份保护

描述：此类型的融合事件表示在可疑登录到Azure AD帐户后，删除了异常数量的唯一文件。这一证据表明，聚变事件描述中提到的帐户可能已被泄露，并被用于出于恶意目的销毁数据。可疑Azure AD登录警报与海量文件删除警报的排列如下：

无法移动到非典型位置，导致大量文件删除

从陌生位置登录事件导致大量文件删除

来自受感染设备的登录事件导致大量文件删除

从导致大量文件删除的匿名IP地址登录事件

来自具有泄漏凭据的用户的登录事件导致大量文件删除

新的！Cisco防火墙设备阻止从IP成功登录Azure AD后删除大量文件

此场景使用由计划分析规则生成的警报。

此方案当前正在预览中。

斜接战术：初始进入，影响

MITRE ATT&CK技术：有效账户（T1078），数据销毁（T1485）

数据连接器来源：Azure Sentinel（计划分析规则）、Microsoft云应用程序安全

描述：此类型的融合事件表示，尽管用户的IP地址被Cisco防火墙设备阻止，但在成功登录Azure AD后删除了异常数量的唯一文件。这一证据表明，聚变事件描述中提到的帐户已被泄露，并被用于出于恶意目的销毁数据。由于该IP被防火墙阻止，因此成功登录到Azure AD的同一IP可能是可疑的，并且可能表示用户帐户的凭据泄露。

新的！在通过IP成功登录Palo Alto VPN并使用多个失败的Azure AD登录后删除大量文件

此场景使用由计划分析规则生成的警报。

此方案当前正在预览中。

MITRE ATT&CK策略：初始访问、凭证访问、影响

MITRE ATT&CK技术：有效账户（T1078）、暴力（T1110）、数据销毁（T1485）

数据连接器来源：Azure Sentinel（计划分析规则）、Microsoft云应用程序安全

描述：此类型的融合事件表示通过Palo Alto VPN成功登录的用户从IP地址删除了异常数量的唯一文件，在类似的时间范围内，从该IP地址中发生了多个失败的Azure AD登录。这一证据表明，Fusion事件中提到的用户帐户可能是使用暴力技术泄露的，并被用于出于恶意目的销毁数据。

可疑Azure广告登录后的可疑电子邮件删除活动

斜接战术：初始进入，影响

MITRE ATT&CK技术：有效账户（T1078），数据销毁（T1485）

数据连接器来源：Microsoft云应用安全、Azure Active Directory身份保护

描述：这种类型的融合事件表明，在一个可疑的Azure AD帐户登录后，在单个会话中删除了异常数量的电子邮件。这一证据表明，Fusion事件描述中提到的帐户可能已被泄露，并被用于出于恶意目的销毁数据，例如伤害组织或隐藏与垃圾邮件相关的电子邮件活动。可疑Azure AD登录警报与可疑电子邮件删除活动警报的排列如下：

无法前往非典型位置导致可疑电子邮件删除活动

从陌生位置登录事件导致可疑的电子邮件删除活动

来自受感染设备的登录事件导致可疑的电子邮件删除活动

从导致可疑电子邮件删除活动的匿名IP地址登录事件

来自具有泄漏凭据的用户的登录事件导致可疑的电子邮件删除活动

数据外泄

新的！新管理员帐户活动之后的邮件转发活动最近未见

此场景属于此列表中的两种威胁分类：数据泄漏和恶意管理活动。为了清楚起见，它出现在两个部分中。

此场景使用由计划分析规则生成的警报。

此方案当前正在预览中。

MITRE ATT&CK战术：初始访问、收集、过滤

MITRE ATT&CK技术：有效帐户（T1078）、电子邮件收集（T1114）、Web服务过滤（T1567）

数据连接器来源：Azure Sentinel（计划分析规则）、Microsoft云应用程序安全

描述：此类型的融合事件表示新的Exchange管理员帐户已创建，或者现有的Exchange管理员帐户在过去两周内首次执行了某些管理操作，然后该帐户执行了某些邮件转发操作，这对于管理员帐户来说是不寻常的。这一证据表明，Fusion事件描述中提到的用户帐户已被泄露或操纵，并且它被用来从您组织的网络中过滤数据。

大量文件下载后可疑的Azure广告登录

MITRE ATT&CK战术：初始进入、渗出

MITRE ATT&CK技术：有效账户（T1078）

数据连接器来源：Microsoft云应用安全、Azure Active Directory身份保护

描述：此类型的融合事件表示用户在可疑登录到Azure AD帐户后下载了异常数量的文件。这一迹象提供了高度的可信度，即Fusion事件描述中指出的帐户已被泄露，并被用于从组织的网络中过滤数据。可疑的Azure AD登录警报与海量文件下载警报的排列如下：

不可能到达导致大量文件下载的非典型位置

从陌生位置登录事件导致大量文件下载

从受感染的设备登录事件导致大量文件下载

从匿名IP登录事件导致大量文件下载

来自具有泄漏凭据的用户的登录事件导致大量文件下载

新的！Cisco防火墙设备阻止从IP成功登录Azure AD后的海量文件下载

MITRE ATT&CK战术：初始进入、渗出

MITRE ATT&CK技术：有效账户（T1078），Web服务过滤（T1567）

数据连接器来源：Azure Sentinel（计划分析规则）、Microsoft云应用程序安全

描述：此类型的融合事件表示，尽管用户的IP地址被Cisco防火墙设备阻止，但在成功登录Azure AD后，用户下载的文件数量异常。这可能是攻击者在泄露用户帐户后试图从组织的网络中渗出数据。由于该IP被防火墙阻止，因此成功登录到Azure AD的同一IP可能是可疑的，并且可能表示用户帐户的凭据泄露。

New! Mass file download coinciding with SharePoint file operation from previously unseen IP

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Exfiltration

MITRE ATT&CK techniques: Exfiltration Over Web Service (T1567), Data Transfer Size Limits (T1030)

Data connector sources: Azure Sentinel (scheduled analytics rule), Microsoft Cloud App Security

Description: Fusion incidents of this type indicate that an anomalous number of files were downloaded by a user connected from a previously unseen IP address. Though not evidence of a multistage attack, the correlation of these two lower-fidelity alerts results in a high-fidelity incident suggesting an attempt by an attacker to exfiltrate data from the organization's network from a possibly compromised user account. In stable environments, such connections by previously unseen IPs may be unauthorized, especially if associated with spikes in volume that could be associated with large-scale document exfiltration.

Mass file sharing following suspicious Azure AD sign-in

MITRE ATT&CK tactics: Initial Access, Exfiltration

MITRE ATT&CK techniques: Valid Account (T1078), Exfiltration Over Web Service (T1567)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that a number of files above a particular threshold were shared to others following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and used to exfiltrate data from your organization's network by sharing files such as documents, spreadsheets, etc., with unauthorized users for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the mass file sharing alert are:

• Impossible travel to an atypical location leading to mass file sharing

• Sign-in event from an unfamiliar location leading to mass file sharing

• Sign-in event from an infected device leading to mass file sharing

• Sign-in event from an anonymous IP address leading to mass file sharing

• Sign-in event from user with leaked credentials leading to mass file sharing

Multiple Power BI report sharing activities following suspicious Azure AD sign-in

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Exfiltration

MITRE ATT&CK techniques: Valid Account (T1078), Exfiltration Over Web Service (T1567)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that an anomalous number of Power BI reports were shared in a single session following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate data from your organization's network by sharing Power BI reports with unauthorized users for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the multiple Power BI report sharing activities are:

• Impossible travel to an atypical location leading to multiple Power BI report sharing activities

• Sign-in event from an unfamiliar location leading to multiple Power BI report sharing activities

• Sign-in event from an infected device leading to multiple Power BI report sharing activities

• Sign-in event from an anonymous IP address leading to multiple Power BI report sharing activities

• Sign-in event from user with leaked credentials leading to multiple Power BI report sharing activities

Office 365 mailbox exfiltration following a suspicious Azure AD sign-in

MITRE ATT&CK tactics: Initial Access, Exfiltration, Collection

MITRE ATT&CK techniques: Valid Account (T1078), E-mail collection (T1114), Automated Exfiltration (T1020)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that a suspicious inbox forwarding rule was set on a user's inbox following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the user's account (noted in the Fusion incident description) has been compromised, and that it was used to exfiltrate data from your organization's network by enabling a mailbox forwarding rule without the true user's knowledge. The permutations of suspicious Azure AD sign-in alerts with the Office 365 mailbox exfiltration alert are:

• Impossible travel to an atypical location leading to Office 365 mailbox exfiltration

• Sign-in event from an unfamiliar location leading to Office 365 mailbox exfiltration

• Sign-in event from an infected device leading to Office 365 mailbox exfiltration

• Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration

• Sign-in event from user with leaked credentials leading to Office 365 mailbox exfiltration

New! SharePoint file operation from previously unseen IP following malware detection

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Exfiltration, Defense Evasion

MITRE ATT&CK techniques: Data Transfer Size Limits (T1030)

Data connector sources: Azure Sentinel (scheduled analytics rule), Microsoft Cloud App Security

Description: Fusion incidents of this type indicate that an attacker attempted to exfiltrate large amounts of data by downloading or sharing through SharePoint through the use of malware. In stable environments, such connections by previously unseen IPs may be unauthorized, especially if associated with spikes in volume that could be associated with large-scale document exfiltration.

Suspicious inbox manipulation rules set following suspicious Azure AD sign-in

This scenario belongs to two threat classifications in this list: data exfiltration and lateral movement. For the sake of clarity, it appears in both sections.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Lateral Movement, Exfiltration

MITRE ATT&CK techniques: Valid Account (T1078), Internal Spear Phishing (T1534), Automated Exfiltration (T1020)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that anomalous inbox rules were set on a user's inbox following a suspicious sign-in to an Azure AD account. This evidence provides a high-confidence indication that the account noted in the Fusion incident description has been compromised and was used to manipulate the user’s email inbox rules for malicious purposes, possibly to exfiltrate data from the organization's network. Alternatively, the attacker could be trying to generate phishing emails from within the organization (bypassing phishing detection mechanisms targeted at email from external sources) for the purpose of moving laterally by gaining access to additional user and/or privileged accounts. The permutations of suspicious Azure AD sign-in alerts with the suspicious inbox manipulation rules alert are:

• Impossible travel to an atypical location leading to suspicious inbox manipulation rule

• Sign-in event from an unfamiliar location leading to suspicious inbox manipulation rule

• Sign-in event from an infected device leading to suspicious inbox manipulation rule

• Sign-in event from an anonymous IP address leading to suspicious inbox manipulation rule

• Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule

Suspicious Power BI report sharing following suspicious Azure AD sign-in

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Exfiltration

MITRE ATT&CK techniques: Valid Account (T1078), Exfiltration Over Web Service (T1567)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that a suspicious Power BI report sharing activity occurred following a suspicious sign-in to an Azure AD account. The sharing activity was identified as suspicious because the Power BI report contained sensitive information identified using Natural language processing, and because it was shared with an external email address, published to the web, or delivered as a snapshot to an externally subscribed email address. This alert indicates with high confidence that the account noted in the Fusion incident description has been compromised and was used to exfiltrate sensitive data from your organization by sharing Power BI reports with unauthorized users for malicious purposes. The permutations of suspicious Azure AD sign-in alerts with the suspicious Power BI report sharing are:

• Impossible travel to an atypical location leading to suspicious Power BI report sharing

• Sign-in event from an unfamiliar location leading to suspicious Power BI report sharing

• Sign-in event from an infected device leading to suspicious Power BI report sharing

• Sign-in event from an anonymous IP address leading to suspicious Power BI report sharing

• Sign-in event from user with leaked credentials leading to suspicious Power BI report sharing

Denial of service

Multiple VM deletion activities following suspicious Azure AD sign-in

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Impact

MITRE ATT&CK techniques: Valid Account (T1078), Endpoint Denial of Service (T1499)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that an anomalous number of VMs were deleted in a single session following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to attempt to disrupt or destroy the organization's cloud environment. The permutations of suspicious Azure AD sign-in alerts with the multiple VM deletion activities alert are:

• Impossible travel to an atypical location leading to multiple VM deletion activities

• Sign-in event from an unfamiliar location leading to multiple VM deletion activities

• Sign-in event from an infected device leading to multiple VM deletion activities

• Sign-in event from an anonymous IP address leading to multiple VM deletion activities

• Sign-in event from user with leaked credentials leading to multiple VM deletion activities

Lateral movement

Office 365 impersonation following suspicious Azure AD sign-in

MITRE ATT&CK tactics: Initial Access, Lateral Movement

MITRE ATT&CK techniques: Valid Account (T1078), Internal Spear Phishing (T1534)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that an anomalous number of impersonation actions occurred following a suspicious sign-in from an Azure AD account. In some software, there are options to allow users to impersonate other users. For example, email services allow users to authorize other users to send email on their behalf. This alert indicates with higher confidence that the account noted in the Fusion incident description has been compromised and was used to conduct impersonation activities for malicious purposes, such as sending phishing emails for malware distribution or lateral movement. The permutations of suspicious Azure AD sign-in alerts with the Office 365 impersonation alert are:

• Impossible travel to an atypical location leading to Office 365 impersonation

• Sign-in event from an unfamiliar location leading to Office 365 impersonation

• Sign-in event from an infected device leading to Office 365 impersonation

• Sign-in event from an anonymous IP address leading to Office 365 impersonation

• Sign-in event from user with leaked credentials leading to Office 365 impersonation

Suspicious inbox manipulation rules set following suspicious Azure AD sign-in

This scenario belongs to two threat classifications in this list: lateral movement and data exfiltration. For the sake of clarity, it appears in both sections.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Lateral Movement, Exfiltration

MITRE ATT&CK techniques: Valid Account (T1078), Internal Spear Phishing (T1534), Automated Exfiltration (T1020)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that anomalous inbox rules were set on a user's inbox following a suspicious sign-in to an Azure AD account. This evidence provides a high-confidence indication that the account noted in the Fusion incident description has been compromised and was used to manipulate the user’s email inbox rules for malicious purposes, possibly to exfiltrate data from the organization's network. Alternatively, the attacker could be trying to generate phishing emails from within the organization (bypassing phishing detection mechanisms targeted at email from external sources) for the purpose of moving laterally by gaining access to additional user and/or privileged accounts. The permutations of suspicious Azure AD sign-in alerts with the suspicious inbox manipulation rules alert are:

• Impossible travel to an atypical location leading to suspicious inbox manipulation rule

• Sign-in event from an unfamiliar location leading to suspicious inbox manipulation rule

• Sign-in event from an infected device leading to suspicious inbox manipulation rule

• Sign-in event from an anonymous IP address leading to suspicious inbox manipulation rule

• Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule

Malicious administrative activity

Suspicious cloud app administrative activity following suspicious Azure AD sign-in

MITRE ATT&CK tactics: Initial Access, Persistence, Defense Evasion, Lateral Movement, Collection, Exfiltration, and Impact

MITRE ATT&CK techniques: N/A

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that an anomalous number of administrative activities were performed in a single session following a suspicious Azure AD sign-in from the same account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and was used to make any number of unauthorized administrative actions with malicious intent. This also indicates that an account with administrative privileges may have been compromised. The permutations of suspicious Azure AD sign-in alerts with the suspicious cloud app administrative activity alert are:

• Impossible travel to an atypical location leading to suspicious cloud app administrative activity

• Sign-in event from an unfamiliar location leading to suspicious cloud app administrative activity

• Sign-in event from an infected device leading to suspicious cloud app administrative activity

• Sign-in event from an anonymous IP address leading to suspicious cloud app administrative activity

• Sign-in event from user with leaked credentials leading to suspicious cloud app administrative activity

New! Mail forwarding activities following new admin-account activity not seen recently

This scenario belongs to two threat classifications in this list: malicious administrative activity and data exfiltration. For the sake of clarity, it appears in both sections.

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Collection, Exfiltration

MITRE ATT&CK techniques: Valid Account (T1078), Email Collection (T1114), Exfiltration Over Web Service (T1567)

Data connector sources: Azure Sentinel (scheduled analytics rule), Microsoft Cloud App Security

Description: Fusion incidents of this type indicate that either a new Exchange administrator account has been created, or an existing Exchange admin account took some administrative action for the first time, in the last two weeks, and that the account then did some mail-forwarding actions, which are unusual for an administrator account. This evidence suggests that the user account noted in the Fusion incident description has been compromised or manipulated, and that it was used to exfiltrate data from your organization's network.

Malicious execution with legitimate process

PowerShell made a suspicious network connection, followed by anomalous traffic flagged by Palo Alto Networks firewall.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Execution

MITRE ATT&CK techniques: Command and Scripting Interpreter (T1059)

Data connector sources: Microsoft Defender for Endpoint (formerly Microsoft Defender Advanced Threat Protection, or MDATP), Palo Alto Networks

Description: Fusion incidents of this type indicate that an outbound connection request was made via a PowerShell command, and following that, anomalous inbound activity was detected by the Palo Alto Networks Firewall. This evidence suggests that an attacker has likely gained access to your network and is trying to perform malicious actions. Connection attempts by PowerShell that follow this pattern could be an indication of malware command and control activity, requests for the download of additional malware, or an attacker establishing remote interactive access. As with all “living off the land” attacks, this activity could be a legitimate use of PowerShell. However, the PowerShell command execution followed by suspicious inbound Firewall activity increases the confidence that PowerShell is being used in a malicious manner and should be investigated further. In Palo Alto logs, Azure Sentinel focuses on threat logs, and traffic is considered suspicious when threats are allowed (suspicious data, files, floods, packets, scans, spyware, URLs, viruses, vulnerabilities, wildfire-viruses, wildfires). Also reference the Palo Alto Threat Log corresponding to the Threat/Content Type listed in the Fusion incident description for additional alert details.

Suspicious remote WMI execution followed by anomalous traffic flagged by Palo Alto Networks firewall

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Execution, Discovery

MITRE ATT&CK techniques: Windows Management Instrumentation (T1047)

Data connector sources: Microsoft Defender for Endpoint (formerly MDATP), Palo Alto Networks

Description: Fusion incidents of this type indicate that Windows Management Interface (WMI) commands were remotely executed on a system, and following that, suspicious inbound activity was detected by the Palo Alto Networks Firewall. This evidence suggests that an attacker may have gained access to your network and is attempting to move laterally, escalate privileges, and/or execute malicious payloads. As with all “living off the land” attacks, this activity could be a legitimate use of WMI. However, the remote WMI command execution followed by suspicious inbound Firewall activity increases the confidence that WMI is being used in a malicious manner and should be investigated further. In Palo Alto logs, Azure Sentinel focuses on threat logs, and traffic is considered suspicious when threats are allowed (suspicious data, files, floods, packets, scans, spyware, URLs, viruses, vulnerabilities, wildfire-viruses, wildfires). Also reference the Palo Alto Threat Log corresponding to the Threat/Content Type listed in the Fusion incident description for additional alert details.

Suspicious PowerShell command line following suspicious sign-in

MITRE ATT&CK tactics: Initial Access, Execution

MITRE ATT&CK techniques: Valid Account (T1078), Command and Scripting Interpreter (T1059)

Data connector sources: Azure Active Directory Identity Protection, Microsoft Defender for Endpoint (formerly MDATP)

Description: Fusion incidents of this type indicate that a user executed potentially malicious PowerShell commands following a suspicious sign-in to an Azure AD account. This evidence suggests with high confidence that the account noted in the alert description has been compromised and further malicious actions were taken. Attackers often use PowerShell to execute malicious payloads in memory without leaving artifacts on the disk, in order to avoid detection by disk-based security mechanisms such as virus scanners. The permutations of suspicious Azure AD sign-in alerts with the suspicious PowerShell command alert are:

• Impossible travel to atypical locations leading to suspicious PowerShell command line

• Sign-in event from an unfamiliar location leading to suspicious PowerShell command line

• Sign-in event from an infected device leading to suspicious PowerShell command line

• Sign-in event from an anonymous IP address leading to suspicious PowerShell command line

• Sign-in event from user with leaked credentials leading to suspicious PowerShell command line

Malware C2 or download

New! Beacon pattern detected by Fortinet following multiple failed user sign-ins to a service

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Command and Control

MITRE ATT&CK techniques: Valid Account (T1078), Non-Standard Port (T1571), T1065 (retired)

Data connector sources: Azure Sentinel (scheduled analytics rule), Microsoft Cloud App Security

Description: Fusion incidents of this type indicate communication patterns, from an internal IP address to an external one, that are consistent with beaconing, following multiple failed user sign-ins to a service from a related internal entity. The combination of these two events could be an indication of malware infection or of a compromised host doing data exfiltration.

New! Beacon pattern detected by Fortinet following suspicious Azure AD sign-in

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Command and Control

MITRE ATT&CK techniques: Valid Account (T1078), Non-Standard Port (T1571), T1065 (retired)

Data connector sources: Azure Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate communication patterns, from an internal IP address to an external one, that are consistent with beaconing, following a user sign-in of a suspicious nature to Azure AD. The combination of these two events could be an indication of malware infection or of a compromised host doing data exfiltration. The permutations of beacon pattern detected by Fortinet alerts with suspicious Azure AD sign-in alerts are:

• Impossible travel to an atypical location leading to beacon pattern detected by Fortinet

• Sign-in event from an unfamiliar location leading to beacon pattern detected by Fortinet

• Sign-in event from an infected device leading to beacon pattern detected by Fortinet

• Sign-in event from an anonymous IP address leading to beacon pattern detected by Fortinet

• Sign-in event from user with leaked credentials leading to beacon pattern detected by Fortinet

Network request to TOR anonymization service followed by anomalous traffic flagged by Palo Alto Networks firewall.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Command and Control

MITRE ATT&CK techniques: Encrypted Channel (T1573), Proxy (T1090)

Data connector sources: Microsoft Defender for Endpoint (formerly MDATP), Palo Alto Networks

Description: Fusion incidents of this type indicate that an outbound connection request was made to the TOR anonymization service, and following that, anomalous inbound activity was detected by the Palo Alto Networks Firewall. This evidence suggests that an attacker has likely gained access to your network and is trying to conceal their actions and intent. Connections to the TOR network following this pattern could be an indication of malware command and control activity, requests for the download of additional malware, or an attacker establishing remote interactive access. In Palo Alto logs, Azure Sentinel focuses on threat logs, and traffic is considered suspicious when threats are allowed (suspicious data, files, floods, packets, scans, spyware, URLs, viruses, vulnerabilities, wildfire-viruses, wildfires). Also reference the Palo Alto Threat Log corresponding to the Threat/Content Type listed in the Fusion incident description for additional alert details.

Outbound connection to IP with a history of unauthorized access attempts followed by anomalous traffic flagged by Palo Alto Networks firewall

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Command and Control

MITRE ATT&CK techniques: Not applicable

Data connector sources: Microsoft Defender for Endpoint (formerly MDATP), Palo Alto Networks

Description: Fusion incidents of this type indicate that an outbound connection to an IP address with a history of unauthorized access attempts was established, and following that, anomalous activity was detected by the Palo Alto Networks Firewall. This evidence suggests that an attacker has likely gained access to your network. Connection attempts following this pattern could be an indication of malware command and control activity, requests for the download of additional malware, or an attacker establishing remote interactive access. In Palo Alto logs, Azure Sentinel focuses on threat logs, and traffic is considered suspicious when threats are allowed (suspicious data, files, floods, packets, scans, spyware, URLs, viruses, vulnerabilities, wildfire-viruses, wildfires). Also reference the Palo Alto Threat Log corresponding to the Threat/Content Type listed in the Fusion incident description for additional alert details.

Persistence

(New threat classification)

New! Rare application consent following suspicious sign-in

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Persistence, Initial Access

MITRE ATT&CK techniques: Create Account (T1136), Valid Account (T1078)

Data connector sources: Azure Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that an application was granted consent by a user who has never or rarely done so, following a related suspicious sign-in to an Azure AD account. This evidence suggests that the account noted in the Fusion incident description may have been compromised and used to access or manipulate the application for malicious purposes. Consent to application, Add service principal and Add OAuth2PermissionGrant should typically be rare events. Attackers may use this type of configuration change to establish or maintain their foothold on systems. The permutations of suspicious Azure AD sign-in alerts with the rare application consent alert are:

• Impossible travel to an atypical location leading to rare application consent

• Sign-in event from an unfamiliar location leading to rare application consent

• Sign-in event from an infected device leading to rare application consent

• Sign-in event from an anonymous IP leading to rare application consent

• Sign-in event from user with leaked credentials leading to rare application consent

Ransomware

Ransomware execution following suspicious Azure AD sign-in

MITRE ATT&CK tactics: Initial Access, Impact

MITRE ATT&CK techniques: Valid Account (T1078), Data Encrypted for Impact (T1486)

Data connector sources: Microsoft Cloud App Security, Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that anomalous user behavior indicating a ransomware attack was detected following a suspicious sign-in to an Azure AD account. This indication provides high confidence that the account noted in the Fusion incident description has been compromised and was used to encrypt data for the purposes of extorting the data owner or denying the data owner access to their data. The permutations of suspicious Azure AD sign-in alerts with the ransomware execution alert are:

• Impossible travel to an atypical location leading to ransomware in cloud app

• Sign-in event from an unfamiliar location leading to ransomware in cloud app

• Sign-in event from an infected device leading to ransomware in cloud app

• Sign-in event from an anonymous IP address leading to ransomware in cloud app

• Sign-in event from user with leaked credentials leading to ransomware in cloud app

Remote exploitation

Suspected use of attack framework followed by anomalous traffic flagged by Palo Alto Networks firewall

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Execution, Lateral Movement, Privilege Escalation

MITRE ATT&CK techniques: Exploit Public-Facing Application (T1190), Exploitation for Client Execution (T1203), Exploitation of Remote Services(T1210), Exploitation for Privilege Escalation (T1068)

Data connector sources: Microsoft Defender for Endpoint (formerly MDATP), Palo Alto Networks

Description: Fusion incidents of this type indicate that non-standard uses of protocols, resembling the use of attack frameworks such as Metasploit, were detected, and following that, suspicious inbound activity was detected by the Palo Alto Networks Firewall. This may be an initial indication that an attacker has exploited a service to gain access to your network resources or that an attacker has already gained access and is trying to further exploit available systems/services to move laterally and/or escalate privileges. In Palo Alto logs, Azure Sentinel focuses on threat logs, and traffic is considered suspicious when threats are allowed (suspicious data, files, floods, packets, scans, spyware, URLs, viruses, vulnerabilities, wildfire-viruses, wildfires). Also reference the Palo Alto Threat Log corresponding to the Threat/Content Type listed in the Fusion incident description for additional alert details.

Resource hijacking

(New threat classification)

New! Suspicious resource / resource group deployment by a previously unseen caller following suspicious Azure AD sign-in

This scenario makes use of alerts produced by scheduled analytics rules.

This scenario is currently in PREVIEW.

MITRE ATT&CK tactics: Initial Access, Impact

MITRE ATT&CK techniques: Valid Account (T1078), Resource Hijacking (T1496)

Data connector sources: Azure Sentinel (scheduled analytics rule), Azure Active Directory Identity Protection

Description: Fusion incidents of this type indicate that a user has deployed an Azure resource or resource group - a rare activity - following a suspicious sign-in, with properties not recently seen, to an Azure AD account. This could possibly be an attempt by an attacker to deploy resources or resource groups for malicious purposes after compromising the user account noted in the Fusion incident description. The permutations of suspicious Azure AD sign-in alerts with the suspicious resource / resource group deployment by a previously unseen caller alert are:

• Impossible travel to an atypical location leading to suspicious resource / resource group deployment by a previously unseen caller

• Sign-in event from an unfamiliar location leading to suspicious resource / resource group deployment by a previously unseen caller

• Sign-in event from an infected device leading to suspicious resource / resource group deployment by a previously unseen caller

• Sign-in event from an anonymous IP leading to suspicious resource / resource group deployment by a previously unseen caller

• Sign-in event from user with leaked credentials leading to suspicious resource / resource group deployment by a previously unseen caller