nldcsc-elastic-rules 0.0.8__py3-none-any.whl

nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_global_administrator_role_assigned.toml

@@ -0,0 +1,101 @@
+[metadata]
+creation_date = "2022/01/06"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+In Microsoft Entra ID, permissions to manage resources are assigned using roles. The Global Administrator
+is a role that enables users to have access to all administrative features in Microsoft Entra ID and services that use Microsoft Entra ID
+identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
+Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
+subscriptions and their settings and resources. They can also elevate privilege to User Access Administrator to pivot into Azure resources.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.auditlogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Entra ID Global Administrator Role Assigned"
+note = """## Triage and analysis
+
+### Investigating Entra ID Global Administrator Role Assigned
+
+Microsoft Entra ID's Global Administrator role grants comprehensive access to manage Microsoft Entra ID and associated services. Adversaries may exploit this by assigning themselves or others to this role, ensuring persistent control over resources. The detection rule identifies such unauthorized assignments by monitoring specific audit logs for role changes, focusing on the addition of members to the Global Administrator role, thus helping to mitigate potential security breaches.
+
+### Possible investigation steps
+
+- Review the Microsoft Entra ID audit logs to identify the user account that performed the "Add member to role" operation, focusing on the specific event dataset and operation name.
+- Verify the identity of the user added to the Global Administrator role by examining the modified properties in the audit logs, specifically the new_value field indicating "Global Administrator".
+- Check the history of role assignments for the identified user to determine if this is a recurring pattern or a one-time event.
+- Investigate the source IP address and location associated with the role assignment event to assess if it aligns with expected user behavior or if it indicates potential unauthorized access.
+- Review any recent changes or activities performed by the newly assigned Global Administrator to identify any suspicious actions or configurations that may have been altered.
+- Consult with the organization's IT or security team to confirm if the role assignment was authorized and aligns with current administrative needs or projects.
+- Correlate with Microsoft Entra ID sign-in logs to check for any unusual login patterns or failed login attempts associated with the user who assigned the role.
+- Review the reported device to determine if it is a known and trusted device or if it raises any security concerns such as unexpected relationships with the source user.
+
+### False positive analysis
+
+- Routine administrative tasks may trigger alerts when legitimate IT staff are assigned the Global Administrator role temporarily for maintenance or configuration purposes. To manage this, create exceptions for known IT personnel or scheduled maintenance windows.
+- Automated scripts or third-party applications that require elevated permissions might be flagged if they are configured to add users to the Global Administrator role. Review and whitelist these scripts or applications if they are verified as safe and necessary for operations.
+- Organizational changes, such as mergers or restructuring, can lead to legitimate role assignments that appear suspicious. Implement a review process to verify these changes and exclude them from triggering alerts if they align with documented organizational changes.
+- Training or onboarding sessions for new IT staff might involve temporary assignment to the Global Administrator role. Establish a protocol to document and exclude these training-related assignments from detection alerts.
+
+### Response and remediation
+
+- Immediately remove any unauthorized users from the Global Administrator role to prevent further unauthorized access and control over Azure AD resources.
+- Conduct a thorough review of recent audit logs to identify any additional unauthorized changes or suspicious activities associated with the compromised account or role assignments.
+- Reset the credentials of the affected accounts and enforce multi-factor authentication (MFA) to enhance security and prevent further unauthorized access.
+- Notify the security operations team and relevant stakeholders about the incident for awareness and further investigation.
+- Implement conditional access policies to restrict Global Administrator role assignments to specific, trusted locations or devices.
+- Review and update role assignment policies to ensure that only a limited number of trusted personnel have the ability to assign Global Administrator roles.
+- Enhance monitoring and alerting mechanisms to detect similar unauthorized role assignments in the future, ensuring timely response to potential threats.
+"""
+references = [
+    "https://securitylabs.datadoghq.com/articles/i-spy-escalating-to-entra-id-global-admin/",
+    "https://docs.microsoft.com/en-us/azure/active-directory/roles/permissions-reference#global-administrator",
+    "https://www.microsoft.com/en-us/security/blog/2025/08/27/storm-0501s-evolving-techniques-lead-to-cloud-based-ransomware/"
+]
+risk_score = 73
+rule_id = "04c5a96f-19c5-44fd-9571-a0b033f9086f"
+severity = "high"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide"
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.auditlogs and
+    azure.auditlogs.properties.category:RoleManagement and
+    azure.auditlogs.operation_name:"Add member to role" and
+    azure.auditlogs.properties.target_resources.*.modified_properties.*.new_value: "\"Global Administrator\""
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_pim_user_added_global_admin.toml

@@ -0,0 +1,101 @@
+[metadata]
+creation_date = "2020/09/24"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM)
+user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an
+organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in
+your Azure AD organization.
+"""
+false_positives = [
+    """
+    Global administrator additions may be done by a system or network administrator. Verify whether the username,
+    hostname, and/or resource name should be making changes in your environment. Global administrator additions from
+    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
+    from the rule.
+    """,
+]
+index = ["logs-azure.auditlogs-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Global Administrator Role Addition to PIM User"
+note = """## Triage and analysis
+
+> **Disclaimer**:
+> This investigation guide was created using generative AI technology and has been reviewed to improve its accuracy and relevance. While every effort has been made to ensure its quality, we recommend validating the content and adapting it to suit your specific environment and operational needs.
+
+### Investigating Azure Global Administrator Role Addition to PIM User
+
+Azure AD's Global Administrator role grants extensive access, allowing users to modify any administrative setting. Privileged Identity Management (PIM) helps manage and monitor such access. Adversaries may exploit this by adding themselves or others to this role, gaining persistent control. The detection rule identifies suspicious role additions by monitoring specific audit logs, focusing on successful role assignments to PIM users, thus helping to flag potential unauthorized access attempts.
+
+### Possible investigation steps
+
+- Review the Azure audit logs to confirm the details of the role addition event, focusing on the event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement fields.
+- Identify the user account that was added to the Global Administrator role by examining the azure.auditlogs.properties.target_resources.*.display_name field.
+- Check the event.outcome field to ensure the role addition was successful and not a failed attempt.
+- Investigate the user account's recent activities and login history to determine if there are any anomalies or signs of compromise.
+- Verify if the role addition aligns with any recent administrative changes or requests within the organization to rule out legitimate actions.
+- Assess the potential impact of the role addition by reviewing the permissions and access levels granted to the user.
+- If suspicious activity is confirmed, initiate a response plan to remove unauthorized access and secure the affected accounts.
+
+### False positive analysis
+
+- Routine administrative tasks may trigger alerts when legitimate IT staff are assigned the Global Administrator role for maintenance or updates. To manage this, create exceptions for known IT personnel or scheduled maintenance windows.
+- Automated scripts or tools used for role assignments can cause false positives if they frequently add users to the Global Administrator role. Consider excluding these automated processes from monitoring or adjusting the detection rule to account for their activity.
+- Temporary project-based role assignments might be flagged as suspicious. Implement a process to document and pre-approve such assignments, allowing for their exclusion from alerts.
+- Training or onboarding sessions where new administrators are temporarily granted elevated access can result in false positives. Establish a protocol to notify the monitoring team of these events in advance, so they can be excluded from the detection rule.
+
+### Response and remediation
+
+- Immediately revoke the Global Administrator role from any unauthorized PIM user identified in the alert to prevent further unauthorized access.
+- Conduct a thorough review of recent changes made by the affected account to identify any unauthorized modifications or suspicious activities.
+- Reset the credentials of the compromised account and enforce multi-factor authentication (MFA) to secure the account against further unauthorized access.
+- Notify the security team and relevant stakeholders about the incident for awareness and further investigation.
+- Implement additional monitoring on the affected account and related systems to detect any further suspicious activities.
+- Review and update access policies and role assignments in Azure AD to ensure that only necessary personnel have elevated privileges.
+- Document the incident and response actions taken for future reference and to improve incident response procedures.
+
+## Setup
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/directory-assign-admin-roles",
+]
+risk_score = 73
+rule_id = "ed9ecd27-e3e6-4fd9-8586-7754803f7fc8"
+severity = "high"
+tags = ["Domain: Cloud", "Data Source: Azure", "Use Case: Identity and Access Audit", "Tactic: Persistence", "Resources: Investigation Guide"]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.auditlogs and azure.auditlogs.properties.category:RoleManagement and
+    azure.auditlogs.operation_name:("Add eligible member to role in PIM completed (permanent)" or
+                                    "Add member to role in PIM completed (timebound)") and
+    azure.auditlogs.properties.target_resources.*.display_name:"Global Administrator" and
+    event.outcome:(Success or success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+

nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_privileged_identity_management_role_modified.toml

@@ -0,0 +1,114 @@
+[metadata]
+creation_date = "2020/09/01"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/30"
+
+[rule]
+author = ["Elastic"]
+description = """
+Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and
+monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles
+such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to
+maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.
+"""
+from = "now-9m"
+index = ["logs-azure.auditlogs-*", "filebeat-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Azure Privilege Identity Management Role Modified"
+note = """## Triage and analysis
+
+### Investigating Azure Privilege Identity Management Role Modified
+
+Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles such as Global Administrator and Application Administrator.
+
+This rule identifies the update of PIM role settings, which can indicate that an attacker has already gained enough access to modify role assignment settings.
+
+#### Possible investigation steps
+
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Consider the source IP address and geolocation for the user who issued the command. Do they look normal for the user?
+- Consider the time of day. If the user is a human, not a program or script, did the activity take place during a normal time of day?
+- Check if this operation was approved and performed according to the organization's change management policy.
+- Contact the account owner and confirm whether they are aware of this activity.
+- Examine the account's commands, API calls, and data management actions in the last 24 hours.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
+
+### False positive analysis
+
+- If this activity didn't follow your organization's change management policies, it should be reviewed by the security team.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Check if unauthorized new users were created, remove unauthorized new accounts, and request password resets for other IAM users.
+- Restore the PIM roles to the desired state.
+- Consider enabling multi-factor authentication for users.
+- Follow security best practices [outlined](https://docs.microsoft.com/en-us/azure/security/fundamentals/identity-management-best-practices) by Microsoft.
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+
+## Setup
+
+The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule."""
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-resource-roles-assign-roles",
+    "https://docs.microsoft.com/en-us/azure/active-directory/privileged-identity-management/pim-configure",
+]
+risk_score = 47
+rule_id = "7882cebf-6cf1-4de3-9662-213aa13e8b80"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Use Case: Identity and Access Audit",
+    "Resources: Investigation Guide",
+    "Tactic: Persistence",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset:azure.auditlogs and azure.auditlogs.operation_name:"Update role setting in PIM" and event.outcome:(Success or success)
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+[[rule.threat.technique.subtechnique]]
+id = "T1098.003"
+name = "Additional Cloud Roles"
+reference = "https://attack.mitre.org/techniques/T1098/003/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1078"
+name = "Valid Accounts"
+reference = "https://attack.mitre.org/techniques/T1078/"
+
+
+[rule.threat.tactic]
+id = "TA0005"
+name = "Defense Evasion"
+reference = "https://attack.mitre.org/tactics/TA0005/"
+

nldcsc_elastic_rules/rules/integrations/azure/persistence_azure_service_principal_credentials_added.toml

@@ -0,0 +1,111 @@
+[metadata]
+creation_date = "2021/05/05"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/05/27"
+
+[rule]
+author = ["Elastic", "Austin Songer"]
+description = """
+Identifies when new Service Principal credentials have been added in Microsoft Entra ID. In most organizations,
+credentials will be added to service principals infrequently. Hijacking an application (by adding a rogue secret or
+certificate) with granted permissions will allow the attacker to access data that is normally protected by MFA
+requirements.
+"""
+false_positives = [
+    """
+    Service principal credential additions may be done by a system or network administrator. Verify whether the
+    username, hostname, and/or resource name should be making changes in your environment. Credential additions from
+    unfamiliar users or hosts should be investigated. If known behavior is causing false positives, it can be exempted
+    from the rule.
+    """,
+]
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.auditlogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft Entra ID Service Principal Credentials Added by Rare User"
+note = """## Triage and analysis
+
+### Investigating Microsoft Entra ID Service Principal Credentials Added by Rare User
+
+This rule identifies the addition of new credentials (client secrets or certificates) to a Microsoft Entra ID (formerly Azure AD) service principal by a user who has not previously performed this operation in the last 10 days. Adversaries who obtain temporary or persistent access to a user account may add rogue credentials to service principals in order to maintain unauthorized access to cloud resources.
+
+This is a [New Terms](https://www.elastic.co/guide/en/security/current/rules-ui-create.html#create-new-terms-rule) rule that detects rare users performing sensitive identity-related actions in Entra ID.
+
+#### Possible Investigation Steps
+- Identify the Actor: Review the `azure.auditlogs.properties.initiated_by.user.user_principal_name` and `azure.auditlogs.properties.initiated_by.user.id` fields to identify the user account performing the action. Determine if this user typically manages service principals.
+- Check for Known Admin or Automation Context: Validate if the action was expected (e.g., part of a deployment pipeline or credential rotation process). Investigate whether this is a known administrative account or an automated service principal maintainer.
+- Inspect Credential Type: Determine if a certificate or client secret was added, and assess its expiration time, usage scope, and whether it aligns with internal practices.
+- Correlate with Other Events: Look for surrounding events such as creation of new service principals, assignment of roles or permissions, or suspicious application sign-ins that could indicate persistence or privilege escalation.
+- Analyze Source of Activity: Review `source.ip` and `user_agent.original` fields to assess whether the request came from a trusted network or device. Unexpected geolocations, hosting providers, or Linux CLI-based user agents may indicate unauthorized activity.
+
+### False Positive Analysis
+- Routine Administrative Tasks: This alert may trigger when legitimate administrators or DevOps engineers rotate credentials for service principals as part of normal operations.
+- First-Time Actions by Known Accounts: If a new user joins the team or an existing user is performing this task for the first time in the observed period, it may be expected behavior. Verify with the relevant team.
+
+### Response and Remediation
+- Revoke Unauthorized Credentials: If suspicious, disable or delete the newly added service principal credential immediately.
+- Investigate User Account: Review the login history, IP address usage, and other activity from the initiating user to determine whether the account is compromised.
+- Audit Affected Service Principal: Evaluate the permissions granted to the service principal to understand the potential impact of misuse.
+- Review RBAC and Least Privilege: Ensure that only authorized identities have permission to add credentials to service principals. Tighten IAM role definitions if necessary.
+- Enable Just-in-Time or Approval-Based Access: Consider implementing access control policies that require approvals for modifying service principals or adding credentials.
+"""
+
+references = [
+    "https://cloud.google.com/blog/topics/threat-intelligence/remediation-and-hardening-strategies-for-microsoft-365-to-defend-against-unc2452",
+    "https://dirkjanm.io/azure-ad-privilege-escalation-application-admin/",
+    "https://www.cisa.gov/news-events/alerts/2025/05/22/advisory-update-cyber-threat-activity-targeting-commvaults-saas-cloud-application-metallic"
+]
+risk_score = 47
+rule_id = "f766ffaf-9568-4909-b734-75d19b35cbf4"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide",
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "azure.auditlogs"
+    and azure.auditlogs.operation_name:"Add service principal credentials"
+    and event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1098"
+name = "Account Manipulation"
+reference = "https://attack.mitre.org/techniques/T1098/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1098.001"
+name = "Additional Cloud Credentials"
+reference = "https://attack.mitre.org/techniques/T1098/001/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = [
+    "azure.auditlogs.properties.target_resources.0.display_name",
+    "azure.auditlogs.properties.initiated_by.user.id",
+]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-10d"
+
+

nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_conditional_access_policy_modified.toml

@@ -0,0 +1,116 @@
+[metadata]
+creation_date = "2020/09/01"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/26"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies a modification to a conditional access policy (CAP) in Microsoft Entra ID. Adversaries may modify existing CAPs to loosen access controls and maintain persistence in the environment with a compromised identity or entity.
+"""
+from = "now-9m"
+index = ["filebeat-*", "logs-azure.auditlogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Microsoft Entra ID Conditional Access Policy (CAP) Modified"
+note = """## Triage and analysis
+
+## Investigation Guide: Microsoft Entra ID Conditional Access Policy (CAP) Modified
+
+Azure Conditional Access Policies (CAPs) are critical for enforcing secure access requirements such as multi-factor authentication (MFA), restricting specific users or groups, and managing sign-in conditions. Modifying these policies can be a technique for weakening an organization’s defenses and maintaining persistence after initial access.
+
+This rule detects a successful update to a Conditional Access Policy in Microsoft Entra ID (formerly Azure AD).
+
+### Possible Investigation Steps
+
+- **Identify the user who modified the policy:**
+  - Check the value of `azure.auditlogs.properties.initiated_by.user.userPrincipalName` to determine the identity that made the change.
+  - Investigate their recent activity to determine if this change was expected or authorized.
+
+- **Review the modified policy name:**
+  - Look at `azure.auditlogs.properties.target_resources.*.display_name` to find the name of the affected policy.
+  - Determine whether this policy is related to critical controls (e.g., requiring MFA for admins).
+
+- **Analyze the policy change:**
+  - Compare the `old_value` and `new_value` fields under `azure.auditlogs.properties.target_resources.*.modified_properties.*`.
+  - Look for security-reducing changes, such as:
+    - Removing users/groups from enforcement.
+    - Disabling MFA or risk-based conditions.
+    - Introducing exclusions that reduce the policy’s coverage.
+
+- **Correlate with other activity:**
+  - Pivot on `azure.auditlogs.properties.activity_datetime` to identify if any suspicious sign-ins occurred after the policy was modified.
+  - Check for related authentication logs, particularly from the same IP address (`azure.auditlogs.properties.initiated_by.user.ipAddress`).
+
+- **Assess the user's legitimacy:**
+  - Review the initiator’s Azure role, group memberships, and whether their account was recently elevated or compromised.
+  - Investigate whether this user has a history of modifying policies or if this is anomalous.
+
+### Validation & False Positive Considerations
+
+- **Authorized administrative changes:** Some organizations routinely update CAPs as part of policy tuning or role-based access reviews.
+- **Security reviews or automation:** Scripts, CI/CD processes, or third-party compliance tools may programmatically update CAPs.
+- **Employee lifecycle events:** Policy changes during employee onboarding/offboarding may include updates to access policies.
+
+If any of these cases apply and align with the activity's context, consider tuning the rule or adding exceptions for expected patterns.
+
+### Response & Remediation
+
+- Revert unauthorized or insecure changes to the Conditional Access Policy immediately.
+- Temporarily increase monitoring of CAP modifications and sign-in attempts.
+- Lock or reset the credentials of the user account that made the change if compromise is suspected.
+- Conduct a broader access review of conditional access policies and privileged user activity.
+- Implement stricter change management and alerting around CAP changes.
+"""
+references = [
+    "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/overview",
+    "https://www.rezonate.io/blog/microsoft-entra-id-the-complete-guide-to-conditional-access-policies/"
+]
+risk_score = 47
+rule_id = "bc48bba7-4a23-4232-b551-eca3ca1e3f20"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Use Case: Configuration Audit",
+    "Tactic: Persistence",
+    "Resources: Investigation Guide"
+]
+timestamp_override = "event.ingested"
+type = "new_terms"
+
+query = '''
+event.dataset: "azure.auditlogs"
+    and event.action:"Update conditional access policy"
+    and event.outcome: "success"
+'''
+
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+
+[[rule.threat.technique.subtechnique]]
+id = "T1556.009"
+name = "Conditional Access Policies"
+reference = "https://attack.mitre.org/techniques/T1556/009/"
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+
+[rule.new_terms]
+field = "new_terms_fields"
+value = ["azure.auditlogs.properties.initiated_by.user.userPrincipalName"]
+[[rule.new_terms.history_window_start]]
+field = "history_window_start"
+value = "now-14d"

nldcsc_elastic_rules/rules/integrations/azure/persistence_entra_id_mfa_disabled_for_user.toml

@@ -0,0 +1,104 @@
+[metadata]
+creation_date = "2020/08/20"
+integration = ["azure"]
+maturity = "production"
+updated_date = "2025/09/08"
+
+[rule]
+author = ["Elastic"]
+description = """
+Identifies when multi-factor authentication (MFA) is disabled for an Entra ID user account. An adversary may disable MFA
+for a user account in order to weaken the authentication requirements for the account.
+"""
+from = "now-9m"
+index = ["logs-azure.auditlogs-*"]
+language = "kuery"
+license = "Elastic License v2"
+name = "Entra ID MFA Disabled for User"
+note = """## Triage and analysis
+
+### Investigating Entra ID MFA Disabled for User
+
+Multi-factor authentication is a process in which users are prompted during the sign-in process for an additional form of identification, such as a code on their cellphone or a fingerprint scan.
+
+If you only use a password to authenticate a user, it leaves an insecure vector for attack. If the password is weak or has been exposed elsewhere, an attacker could be using it to gain access. When you require a second form of authentication, security is increased because this additional factor isn't something that's easy for an attacker to obtain or duplicate.
+
+For more information about using MFA in Microsoft Entra ID, access the [official documentation](https://docs.microsoft.com/en-us/azure/active-directory/authentication/concept-mfa-howitworks#how-to-enable-and-use-azure-ad-multi-factor-authentication).
+
+This rule identifies the deactivation of MFA for an Entra ID user account. This modification weakens account security and can lead to the compromise of accounts and other assets.
+
+#### Possible investigation steps
+
+- Identify the user account that performed the action and whether it should perform this kind of action.
+- Investigate other alerts associated with the user account during the past 48 hours.
+- Contact the account and resource owners and confirm whether they are aware of this activity.
+- Correlate with Entra ID Sign-In Logs to identify anomalous sign-in attempts following MFA disablement.
+- This rule does not identify if the user was removed from a conditional access policy (CAP) with MFA requirements.
+    - Instead the rule identifies both legacy and modern MFA disablement through user settings.
+- Check if this operation was approved and performed according to the organization's change management policy.
+- If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services, and data accessed by the account in the last 24 hours.
+
+### False positive analysis
+
+- While this activity can be done by administrators, all users must use MFA. The security team should address any potential benign true positive (B-TP), as this configuration can risk the user and domain.
+
+### Response and remediation
+
+- Initiate the incident response process based on the outcome of the triage.
+- Disable or limit the account during the investigation and response.
+- Identify the possible impact of the incident and prioritize accordingly; the following actions can help you gain context:
+    - Identify the account role in the cloud environment.
+    - Assess the criticality of affected services and servers.
+    - Work with your IT team to identify and minimize the impact on users.
+    - Identify if the attacker is moving laterally and compromising other accounts, servers, or services.
+    - Identify any regulatory or legal ramifications related to this activity.
+- Investigate credential exposure on systems compromised or used by the attacker to ensure all compromised accounts are identified. Reset passwords or delete API keys as needed to revoke the attacker's access to the environment. Work with your IT teams to minimize the impact on business operations during these actions.
+- Reactivate multi-factor authentication for the user.
+- Review the permissions assigned to the implicated user to ensure that the least privilege principle is being followed.
+- Implement security defaults [provided by Microsoft](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/concept-fundamentals-security-defaults).
+- Determine the initial vector abused by the attacker and take action to prevent reinfection via the same vector.
+- Using the incident response data, update logging and audit policies to improve the mean time to detect (MTTD) and the mean time to respond (MTTR).
+"""
+risk_score = 47
+rule_id = "dafa3235-76dc-40e2-9f71-1773b96d24cf"
+severity = "medium"
+tags = [
+    "Domain: Cloud",
+    "Domain: Identity",
+    "Data Source: Azure",
+    "Data Source: Microsoft Entra ID",
+    "Data Source: Microsoft Entra ID Audit Logs",
+    "Use Case: Identity and Access Audit",
+    "Resources: Investigation Guide",
+    "Tactic: Persistence",
+]
+timestamp_override = "event.ingested"
+type = "query"
+
+query = '''
+event.dataset: "azure.auditlogs" and
+    (azure.auditlogs.operation_name: "Disable Strong Authentication" or
+    (
+        azure.auditlogs.operation_name: "User deleted security info" and
+        azure.auditlogs.properties.additional_details.key: "AuthenticationMethod"
+    )) and event.outcome: (Success or success)
+'''
+
+[[rule.threat]]
+framework = "MITRE ATT&CK"
+[[rule.threat.technique]]
+id = "T1556"
+name = "Modify Authentication Process"
+reference = "https://attack.mitre.org/techniques/T1556/"
+[[rule.threat.technique.subtechnique]]
+id = "T1556.006"
+name = "Multi-Factor Authentication"
+reference = "https://attack.mitre.org/techniques/T1556/006/"
+
+
+
+[rule.threat.tactic]
+id = "TA0003"
+name = "Persistence"
+reference = "https://attack.mitre.org/tactics/TA0003/"
+