Detection: Microsoft Intune Bulk Wipe Detected

[jakeenea51]

Details

Contributing 1 new detection:

• Microsoft Intune Bulk Wipe Detected

Details:

• Inspired by the recent Stryker incident involving a compromised Intune admin account being used to bulk wipe thousands of endpoints
• Currently set to a threshold of >= 5 wipe actions/hour
• I will be opening a separate PR on the attack_data repo to upload the associated test dataset

This is my first time contributing a detection, so let me know if I missed anything or if any information should be changed. Thanks!

Checklist

• Validate name matches <platform>_<mitre att&ck technique>_<short description> nomenclature
• CI/CD jobs passed ✔️
• Validated SPL logic.
• Validated tags, description, and how to implement.
• Verified references match analytic.
• Confirm updates to lookups are handled properly.

Notes For Submitters and Reviewers

• If you're submitting a PR from a fork, ensuring the box to allow updates from maintainers is checked will help speed up the process of getting it merged.
• Checking the output of the build CI job when it fails will likely show an error about what is failing. You may have a very descriptive error of the specific field(s) in the specific file(s) that is causing an issue. In some cases, its also possible there is an issue with the YAML. Many of these can be caught with the pre-commit hooks if you set them up. These errors will be less descriptive as to what exactly is wrong, but will give you a column and row position in a specific file where the YAML processing breaks. If you're having trouble with this, feel free to add a comment to your PR tagging one of the maintainers and we'll be happy to help troubleshoot it.
• Updates to existing lookup files can be tricky, because of how Splunk handles application updates and the differences between existing lookup files being updated vs new lookups. You can read more here but the short version is that any changes to lookup files need to bump the the date and version in the associated YAML file.

[patel-bhavin]

@jakeenea51 - can you Install pre-commit using pip install pre-commit then proceed to installing the hooks via pre-commit install. this is a pre-requisite to validate and apply the proper formatting.

[patel-bhavin]

Do we not get any src related info from the search, it will be good to add that to the output and to the threat object

[jakeenea51]

unfortunately, the intune audit logs do not contain any src-related information (no IP address, workstation, etc.)

to accomodate for this, I've added another drilldown search to allow an analyst to pivot to the user's sign-in logs

[patel-bhavin]

Per Lou's point : we have some strict field validation and this data source has some fields that are needed in the search output :

security_content/data_sources/azure_monitor_activity.yml

Line 112 in 39849c0

output_fields:

will investigate this, will likely need to update this data source object to remove some of these required output fields

[ljstella]

Fixed up the unfortunately-not-surfaced issues in the rba and tags objects, adding an empty list for threat_objects to the rba object, and adding it to an existing analytic_story in tags.

There's still an issue with the data_source because the selected one has some strict field validation - looking at the attack_data supplied in the other (now merged) PR, I think we need a different data source, which we can stub in that does not expect all of the same fields to exist that exist in the current data source.