What Changed#
Initial release (v3.0.0) of the eDCRule solution, adding 10 scheduled Analytic Rules in English (plus 10 Chinese-localized variants for a total of 20 templates). Rules span two data source categories: Microsoft Entra ID and Azure Subscription activity.
Detection Logic#
Required tables: AuditLogs, SigninLogs, AADNonInteractiveUserSignInLogs, AzureActivity, BehaviorAnalytics
Entra ID Rules (9 rules)#
| Rule | Primary Table | Core Logic |
|---|
| Application Assigned Administrator Permissions Immediately After Obtaining Role Management Permissions | AuditLogs | Detects an app receiving RoleManagement.ReadWrite.Directory consent then assigning admin roles within a short window – rapid privilege escalation via app consent abuse |
| Application Granted Administrative Permission to Assign Entra ID Roles | AuditLogs | Fires when delegated or application permission for role assignment is granted; entity maps Account + IP |
| Authentication Method Changed for Privileged Account | AuditLogs | Detects MFA method or auth credential changes on accounts holding privileged directory roles |
| Domain Federation Trust Settings Modified | AuditLogs | Detects changes to federated domain trust settings (T1606) – classic Golden SAML precursor |
| Mass Privileged Role Change Activity Detected | AuditLogs | Aggregates role assignment/removal operations; fires when volume exceeds threshold, indicating bulk privilege manipulation |
| Privilege Elevation Request Denied | AuditLogs | Tracks denied PIM elevation requests as a signal of probing or misconfigured entitlements |
| Privileged Role Assigned to User | AuditLogs | Generic privileged role assignment alert with account entity mapping |
| Privileged Role Assigned to a New User | AuditLogs | Filters for accounts with no prior role history receiving privileged assignments |
| Suspicious Continuous OAuth Token Usage | SigninLogs / AADNonInteractiveUserSignInLogs | Detects OAuth tokens used repeatedly from multiple IPs or across unusual time windows (T1555, T1078.004) |
Azure Subscription Rule (1 rule)#
| Rule | Primary Tables | Core Logic |
|---|
| Suspicious Azure VM Run Command Execution Detected | AzureActivity + BehaviorAnalytics | Joins successful MICROSOFT.COMPUTE/VIRTUALMACHINES/RUNCOMMAND/ACTION operations to UEBA events where ActionInsights.ActionUncommonlyPerformedByUser == True within a 7-hour window; entity maps Account, Host, IP |
MITRE Mapping#
| Technique | Rule(s) |
|---|
| T1098 / T1098.003 (Account Manipulation / Additional Cloud Roles) | Application permission rules, privileged role assignment rules |
| T1078 / T1078.004 (Valid Accounts / Cloud Accounts) | OAuth token abuse, suspicious sign-in correlation |
| T1606 (Forge Web Credentials) | Domain Federation Trust Settings Modified |
| T1555 (Credentials from Password Stores) | Suspicious Continuous OAuth Token Usage |
| T1570 (Lateral Tool Transfer) | Azure VM Run Command rule (post-compromise execution vector) |
| T1212 (Exploitation for Credential Access) | Azure VM Run Command rule |
Operational Notes#
- Rules embed bilingual (EN/ZH-TW) structured alert descriptions, triage steps, and containment guidance directly in KQL output fields – this is non-standard; downstream automation or SOAR playbooks consuming alert custom details should account for these projected columns.
- The Azure VM Run Command rule requires BehaviorAnalytics (UEBA) to be enabled; without it, the inner join returns zero results and the rule produces no alerts.
- No Data Connector, Playbook, or Hunting Query content is bundled – pure Analytic Rules only.
Affected Files#
Solutions/eDCRule/Analytic Rules/[AzureSubscription] Suspicious Azure VM Run Command Execution Detected.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Application Assigned Administrator Permissions Immediately After Obtaining Role Management Permissions.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Application Granted Administrative Permission to Assign Microsoft Entra ID Roles.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Authentication Method Changed for Privileged Account.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Domain Federation Trust Settings Modified.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Mass Privileged Role Change Activity Detected.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Privilege Elevation Request Denied.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Privileged Role Assigned to User.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Privileged Role Assigned to a New User.yaml
Solutions/eDCRule/Analytic Rules/[Entra ID] Suspicious Continuous OAuth Token Usage.yaml
Solutions/eDCRule/Package/testParameters.json
(packaging artefacts: 3.0.0.zip, ReleaseNotes.md, SolutionMetadata.json, Solution_eDCRule.json, createUiDefinition.json, mainTemplate.json)