Skip to content

Add Azure AD Entra ID identity attack detections (3 analytics)#4091

Open
descambiado wants to merge 5 commits into
splunk:developfrom
descambiado:add-entra-id-identity-attack-detections
Open

Add Azure AD Entra ID identity attack detections (3 analytics)#4091
descambiado wants to merge 5 commits into
splunk:developfrom
descambiado:add-entra-id-identity-attack-detections

Conversation

@descambiado
Copy link
Copy Markdown

@descambiado descambiado commented May 20, 2026

Details

Three new TTP analytics covering Azure AD / Entra ID identity attack techniques that are not currently in the repository.

azure_ad_temporary_access_pass_created.yml
Detects creation of a Temporary Access Pass for an Azure AD user via the Create Temporary Access Pass method for user AuditLog operation. TAPs are time-limited passcodes that bypass MFA and FIDO2 — an attacker who gains admin access and creates a TAP for a target account can authenticate without any second factor. Covers T1556.006, T1078.004. Risk score 70 on targetUser.

azure_ad_guest_user_type_changed_to_member.yml
Detects when a guest account's UserType property is changed to Member via Update user. Uses mvfind/mvindex to filter on the UserType modifiedProperty, consistent with the pattern used in azure_ad_block_user_consent_for_risky_apps_disabled. Removing guest restrictions gives a compromised external identity broader access to tenant resources. Covers T1098.

azure_ad_federated_identity_credential_added_to_sp.yml
Detects federated identity credential additions to service principals via Update service principal where FederatedIdentityCredentials appears in modifiedProperties. Workload identity federation allows external OIDC workloads (GitHub Actions, Kubernetes) to authenticate as the SP without a secret — an attacker who adds a federated credential pointing to a controlled OIDC issuer gains a persistent secretless authentication path invisible to standard credential monitoring. Covers T1098.001.

Checklist

  • Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature (azure_ad prefix, descriptive name consistent with existing detections)
  • CI/CD jobs passed - pending (see notes)
  • Validated SPL logic against Azure AD AuditLogs schema
  • Validated tags, description, and how_to_implement
  • Verified references match analytic
  • No lookup changes

Notes For Submitters and Reviewers

CLA: I have not yet signed the Splunk individual contributors agreement. I will complete this at https://www.splunk.com/goto/individualcontributions before this PR is reviewed.

Attack data: Test data files for these three techniques do not yet exist in splunk/attack_data. The tests.attack_data URLs follow the established naming pattern but point to datasets that need to be contributed separately. Happy to contribute the attack data in a follow-up PR to splunk/attack_data once the detection logic is reviewed and approved.

SPL pattern: The azure_ad_guest_user_type_changed_to_member and azure_ad_federated_identity_credential_added_to_sp analytics use the mvfind/mvindex pattern for modifiedProperties array filtering, consistent with azure_ad_block_user_consent_for_risky_apps_disabled.

@descambiado
Add detection: Azure AD Temporary Access Pass created
1723873 
Detects TAP creation for Azure AD users via AuditLogs. TAPs bypass
all authentication requirements including MFA and FIDO2. Covers
T1556.006 and T1078.004.
@descambiado
Add detection: Azure AD guest user type changed to member
510413f 
Detects UserType property changes from Guest to Member in Azure AD
via Update user AuditLogs. Uses mvfind/mvindex to filter
modifiedProperties. Covers T1098.
@descambiado
Add detection: Azure AD federated identity credential added to SP
edeb988 
Detects federated credential additions to service principals via
Update service principal AuditLogs. Workload identity federation
enables secretless external OIDC authentication as the SP. Covers
T1098.001.
@descambiado
fix: resolve appinspect failures in Entra ID detections
1ca3d62 
azure_ad_federated_identity_credential_added_to_sp: filter macro renamed
from azure_ad_federated_identity_credential_added_to_sp_filter to
azure_ad_federated_identity_credential_added_to_service_principal_filter
to match the detection name field as required by appinspect.

azure_ad_temporary_access_pass_created: data_source updated from the
non-existent "Create Temporary Access Pass method for user" catalog entry
to the valid "Azure Active Directory Update user" entry.
@descambiado
Copy link
Copy Markdown
Author

descambiado commented May 22, 2026

Addressed the two appinspect failures from CI:

azure_ad_federated_identity_credential_added_to_sp: Filter macro renamed from azure_ad_federated_identity_credential_added_to_sp_filter to azure_ad_federated_identity_credential_added_to_service_principal_filter to match the detection name: field as required by appinspect validation.

azure_ad_temporary_access_pass_created: data_source updated from the non-existent catalog entry Azure Active Directory Create Temporary Access Pass method for user to the valid entry Azure Active Directory Update user.

The unit-testing failure appears to be on the develop branch checkout (pre-existing) and is not related to the files added in this PR. Attack data for the three new detections still needs to be submitted to splunk/attack_data — noted as a follow-up.

@descambiado
Copy link
Copy Markdown
Author

descambiado commented Jun 4, 2026

Hey @ljstella, just checking in to see if there is anything blocking the review or if you need any additional info from my side. Happy to help!

@ljstella
Copy link
Copy Markdown
Contributor

ljstella commented Jun 4, 2026

Hey @descambiado - thanks for checking in, and apologies for the delay on our side. We've been rather busy getting ESCU v6.0.0 out the door. Unfortunately, there's been some rather large changes to the repo as part of the release of ESCU v6.0.0 that are going to cause some issues here, including a new format of the detection yaml files. Additionally, the unit-testing no longer works from forks at the moment.

I'm going to update this with the latest changes from develop, which will have the build job failing and error messages that are related to those structural changes we made. Once that's done, we can work with you to get those updated and tested on our side, and then we can wrap this up.

@descambiado
Copy link
Copy Markdown
Author

descambiado commented Jun 4, 2026

Hey @ljstella, no worries at all, congrats on the v6.0.0 release! I'll wait for you to update the branch and then happy to work through whatever structural changes are needed. Just let me know what to update once it's rebased.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patel-bhavin patel-bhavin Awaiting requested review from patel-bhavin patel-bhavin is a code owner

@ljstella ljstella Awaiting requested review from ljstella ljstella is a code owner

@nasbench nasbench Awaiting requested review from nasbench nasbench is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

Detections

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@descambiado @ljstella