Detectionhightest

Discovery Using AzureHound

Detects AzureHound (A BloodHound data collector for Microsoft Azure) activity via the default User-Agent that is used during its operation after successful authentication.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Janantha MarasingheCreated Sun Nov 2735b781cc-1a08-4a5a-80af-42fd7c315c6bcloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        userAgent|contains: 'azurehound'
        ResultType: 0
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

Resolving title…

github.com

MITRE ATT&CK

Tactics

TA0007 · Discovery

Techniques

T1526 · Cloud Service Discovery

Sub-techniques

T1087.004 · Cloud Account

Rule Metadata

Rule ID

35b781cc-1a08-4a5a-80af-42fd7c315c6b

Status

test

Level

high

Type

Detection

Created

Sun Nov 27

Author

Janantha Marasinghe

Path

rules/cloud/azure/signin_logs/azure_ad_azurehound_discovery.yml

Raw Tags

attack.discoveryattack.t1087.004attack.t1526

View on GitHub