Skip to content

[New Rule] Potential TeamFiltration Tool Detected #4862

New issue
New issue
Closed
Task
#4868
Closed
[New Rule] Potential TeamFiltration Tool Detected#4862
Task
#4868
Assignees
terrancedejesus
Labels
Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: NewProposal for new ruleTeam: TRADE
@terrancedejesus

Description

@terrancedejesus
terrancedejesus
opened on Jul 1, 2025

Description

Add coverage for TeamFiltration tool via unique user-agent string that is hardcoded when doing enumerations and password spraying.

Target Ruleset

azure

Target Rule Type

None

Tested ECS Version

No response

Query

event.dataset: azure.signinlogs and user_agent.name: "Electron" and user_agent.os.name: "Windows" and azure.signinlogs.properties.app_id: "1fec8e78-bce4-4aaf-ab1b-5451cc387264""

New fields required in ECS/data sources for this rule?

No response

Related issues or PRs

References

Redacted Example Data

No response

Metadata

Metadata

Assignees

Labels

Domain: CloudDomain: IdentityIntegration: Azureazure related rulesRule: NewProposal for new ruleTeam: TRADE

Type

Task

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions