The Microsoft security team recently released AzDetectSuite, a collection of KQL queries and detection alerts against security threads on Azure and AzureAD. The open-source project provides basic detection capabilities at a low cost, targeting small environments within the Microsoft cloud platform.
AzDetectSuite is an open-source library designed to help developers detect and understand tactics, techniques, and procedures used in cyber-attacks on Azure networks.
Written to match the Azure Threat Research Matrix (ATRM), a knowledge base built to document known TTPs within Azure and Azure AD, the detections are grouped according to the different tactics involved: reconnaissance, initial access, execution, privilege escalation, persistence, credential access, and exfiltration. Ryan Hausknecht, senior security researcher at Microsoft, explains:
AzDetectSuite is a project created to allow Azure users to establish a basic defense within Azure by giving pre-built KQL queries for each technique within ATRM that are deployable Alerts to Azure Monitor. In ATRM, most (85%+) techniques will have a KQL query and a button that will deploy the query to their Azure subscription.
For example, AzDetectSuite supports detections for attacks like Azure Key Vault dumping, account creation or manipulation, or password spraying. The detections are written using the Kusto Query Language (KQL), a language designed to explore data and discover patterns, identify anomalies and outliers, and create statistical modeling.
The new library relies on Azure Monitor, the centralized service that ingests data from different log sources, including general Azure Log (AzureActivity) and more detailed logs, such as Service Principal Sign-Ins (AADServicePrincipalSignInLogs).
AzDetectSuite is not the main option available for TTPs on Azure and AzureAD. Hausknecht warns:
AzDetectSuite (ADS) is not meant to compete with Microsoft Defender for Cloud (MDC). MDC provides advanced detections based on your subscription plan and will give more granular control based on the telemetry in a tenant. ADS is meant to be an open-source suite of basic detections for techniques found within ATRM.
The announcement explains how to build alerts for anomalous behaviors and how to handle baselining in KQL. On Twitter, Hausknecht adds:
The goal of this is to continue releasing OSS tooling that will benefit Azure users. It definitely goes against some of the mentality I've come across internally, but I'm firm in my belief that people should be able to have a security baseline for free.
The project's GitHub repository contains the KQL queries and the PowerShell script Invoke-AzDetectSuite.ps1 to import detections for all or specific tactics. The detections are available for free but customers might still be charged for alert fees.