Azure logic apps – Detecting O365 breach

So, I’ve been playing a lot lately with azure and logic apps. I thought it would be cool to detect O365 breach in as much as less time possible. Let’s go ahead and do that, before jumping in following is prerequisites.

Prerequisites: Enable Azure log analytics workspace, pump O365 logs into log analytics workspace.

Azure Logic App: It is nothing but orchestrator for azure. It has lot of potential like creating automatic response tasks. it can be as simple as you want to know when there is a new tweet about your company to as complex as you can find breached account and disable it without even starting the IR process.

The final logic app we will be building will look like the following:

Create a new logic app

This process is fairly simple and straight forward. go ahead and search for Logic App in portal.azure.com and create a new logic app. you need permissions to either create a resource group or use resource group. choose an appropriate subscription, choose a resource group, and choose a location to deploy this app.

Add a +New step and type either Schedule or recurrence and configure this for 1-hour interval. This is our first step.

Add another +New Step as above and type Azure Log Analytics to use and configure it as follows. It will ask you to sign in to Microsoft account. it is very important to choose an account which has access to log analytics workspace and resource group as well. Following is the code we will run in log analytics workspace to identify any New inbox rules were created.

Note: this is a query to check inbox rules because it is the most common practice for an attacker to set up inbox rule and monitor for a while before launching further attacks. but also this is not the only thing every attacker does. this part is only for identifying breached accounts assuming the attacker creates inbox rules for data exfiltration. my query runs for a day but you can run for an hour to detect a potential breach in an hour.

OfficeActivity
| where TimeGenerated > now() - 1d
| where Operation contains "New-InboxRule" or Operation contains "Set-InboxRule" 

This is where it gets interesting, now that we ran query we want to take the output and do what we want, like send an email. but this might be a bit problem where you have a big tenancy, so how about sending an email and posting in slack as well. Sounds good right? for this, we need to add next +New step and search for control, click on the control and choose for each control.

we will use for statement for sending an email. Following are the settings. We can choose what parts of output we want to see in our email. This really depends on the output spit out by the previous command, in our case log analytics query. we are only looking for details of Type of rule created, Email account identified, Tenancy, From Which IP this rule was created, and detailed rule for investigation.

Let’s add an action as following click + and click on Add an action and choose HTTP as shown below. we will add webhook for this part.

Now onto the very interesting “slack post” part. whenever new alert rule is identified we want it to post to slack channel as well so someone can pick it up. following is the Jason query for HTTPS webhook.

{
  "text": "Following is event data assosiated\n Type of rule created : @{items('For_each_2')?['Operation']}\n Email account : @{items('For_each_2')?['UserId']}\n Tenancy : @{items('For_each_2')?['OrganizationName']}\n From IP Address:@{items('For_each_2')?['ClientIP']}\n Detailed Rule Parametres: @{items('For_each_2')?['Parameters']}\n Please investigate further}"
}

Note: I am not covering how to create a webhook on the slack, there is plenty of tutorials online, you would go to the following page and create a webhook.

Following screenshot shows you how it looks when its done.

And ……. That’s all now click save and make sure to save your logic app. Go ahead and test the app by clicking Run on top of the app. This will run app once and start the scheduler. The result looks like below.

Email received:

Slack output:

Woohoo! now go automate stuff.

0 Comments

Leave a Reply

Your email address will not be published.