Skip to content

Conversation

terrancedejesus
Copy link
Contributor

Pull Request

Issue link(s):

Summary - What I changed

Adds a new rule for Microsoft Entra Session Reuse with Suspicious Graph Access. Identifies cases where a user signed in from one IP and then, within 5 minutes, made Microsoft Graph API calls from a different IP using the same session — indicating possible session hijacking or delegated token abuse. This may be evidence of OAuth phishing for tokens that lead to Graph API access.

Additional Information:

  • Focuses on Microsoft Entra ID sign-in logs and Microsoft Graph API activity logs
  • Ignores MSFT's ASN for reported source addresses
  • Normalizes session ID, user ID, client IDs reported in each data source
  • Labels data for easier correlation
  • Creates a bucket time window of 5 minutes
  • generates stats and arrays of values for important investigation indicators
  • Aggregates by session ID and time window
  • Generates time diffs for events and sign-in to graph events
  • ensures that more than one IP and event count within less than 5 minutes and the delay minutes for entra to graph are valid

How To Test

  • Please review the meta's testing and blog for additional context
  • For ES|QL syntax testing or results, please use the TRADE serverless stack with generated data

Checklist

  • Added a label for the type of pr: bug, enhancement, schema, maintenance, Rule: New, Rule: Deprecation, Rule: Tuning, Hunt: New, or Hunt: Tuning so guidelines can be generated
  • Added the meta:rapid-merge label if planning to merge within 24 hours
  • Secret and sensitive material has been managed correctly
  • Automated testing was updated or added to match the most common scenarios
  • Documentation and comments were added for features that require explanation

Contributor checklist

Copy link
Contributor

github-actions bot commented May 8, 2025

Rule: New - Guidelines

These guidelines serve as a reminder set of considerations when proposing a new rule.

Documentation and Context

  • Detailed description of the rule.
  • List any new fields required in ECS/data sources.
  • Link related issues or PRs.
  • Include references.

Rule Metadata Checks

  • creation_date matches the date of creation PR initially merged.
  • min_stack_version should support the widest stack versions.
  • name and description should be descriptive and not include typos.
  • query should be inclusive, not overly exclusive, considering performance for diverse environments. Non ecs fields should be added to non-ecs-schema.json if not available in an integration.
  • min_stack_comments and min_stack_version should be included if the rule is only compatible starting from a specific stack version.
  • index pattern should be neither too specific nor too vague, ensuring it accurately matches the relevant data stream (e.g., use logs-endpoint.process-* for process data).
  • integration should align with the index. If the integration is newly introduced, ensure the manifest, schemas, and new_rule.yaml template are updated.
  • setup should include the necessary steps to configure the integration.
  • note should include any additional information (e.g. Triage and analysis investigation guides, timeline templates).
  • tags should be relevant to the threat and align/added to the EXPECTED_RULE_TAGS in the definitions.py file.
  • threat, techniques, and subtechniques should map to ATT&CK always if possible.

New BBR Rules

  • building_block_type should be included if the rule is a building block and the rule should be located in the rules_building_block folder.
  • bypass_bbr_timing should be included if adding custom lookback timing to the rule.

Testing and Validation

  • Provide evidence of testing and detecting the expected threat.
  • Check for existence of coverage to prevent duplication.
@terrancedejesus terrancedejesus marked this pull request as ready for review May 8, 2025 14:38
Copy link
Contributor

@DefSecSentinel DefSecSentinel left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

Copy link
Contributor

@imays11 imays11 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice rule!

@terrancedejesus terrancedejesus merged commit d83e1c7 into main May 10, 2025
10 checks passed
@terrancedejesus terrancedejesus deleted the new-rule-entra-id-multiple-addresses-for-single-session branch May 10, 2025 00:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

3 participants