FalconFriday — AzureAD Edition — 0xFF11

Post-Image

FalconFriday — AzureAD Edition — 0xFF11

After a few missed editions of FalconFriday, we are back! Today, we will cover some detections specifically for attacks related to AzureAD. To make up for the missed editions, we will treat you with a bonus detection rule from our premium catalogue, normally only reserved for our paying customers.

TL;DR for blue teams: With a bit of fine-tuning of these rules, you get good insight in suspicious deviations from normal behaviour in AAD. This helps a great deal in focusing your hunting / response activities in the huge set of events generated by AAD.

TL;DR for red teams: These rules equip the blue team with means to detect slight changes in user behavior. Make sure to emulate your target’s MO even closer when attacking AzureAD.

Cross post from medium.com, please read the full article here:

https://medium.com/falconforce/falconfriday-azuread-edition-0xff11-758a40ff3bf

Direct link to our Github page:

https://github.com/FalconForceTeam/FalconFriday