microsoft / azure-threat-research-matrix Goto Github PK

In this technique, the examples of Azure REST API is PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01.

It is totally as same as AZT506 PUT https://management.azure.com/subscriptions/{subscriptionId}/resourceGroups/{resourceGroupName}/providers/Microsoft.Network/networkSecurityGroups/{networkSecurityGroupName}/securityRules/{securityRuleName}?api-version=2021-08-01.

I guess this is a typo.

Documented query will not fetch any results.

AzureActivity | where Properties_d has 'vmaccesswindowspasswordreset'

Log vmaccesswindowspasswordreset is not present in Properties_d.

Thank you for this very interesting ATT&CK-alike taxonomy!

It would be great if this taxonomy could be provided in a machine parsable format such as JSON.
That should allow CTI tooling to use the taxonomy without the need for manual encoding.

In the meantime, we have developed a temporary script that converts the Markdown data into a JSON structured ATRM MISP Galaxy.

This brings all ATRM entities within projects that use these tags/galaxies, such as the MISP Threat Sharing software.
A nifty feature is also the support of the matrix model within MISP ! (screenshot below)

Thanks again !

AZT404.3 is titled "Automation Account", but the content is related to Function Apps.

The query for AZT402 - Elevated Access Toggle does not appear to be valid.

AuditLogs | where ActivityDisplayName == 'Assigns the caller to User Access Administrator role'

In my testing these 'Directory Activity' logs are not exported to AuditLogs (nor to ActivityLogs). I am engaging support but fear the answer is that these logs are not currently exportable.

Edit: Support seems to concur that these logs are not currently exportable. I have found that you can at least retrieve these events from the Tenant Activity API endpoint
https://learn.microsoft.com/en-us/rest/api/monitor/tenant-activity-logs/list?view=rest-monitor-2015-04-01&tabs=HTTP

There are important files that Microsoft projects should all have that are not present in this repository. A pull request has been opened to add the missing file(s). When the pr is merged this issue will be closed automatically.

Microsoft teams can learn more about this effort and share feedback within the open source guidance available internally.

Merge this pull request