feat: build supply_chain_anomaly.kql — supply chain anomaly detection (T1195)

[TFT444]

📋 Overview

Implement a KQL rule to detect anomalous activity originating from third-party supplier accounts, API keys, and integrations. Supply chain compromise is the attack vector behind the M&S 2025 breach and is one of the hardest threats to detect because supplier access is by definition trusted.

🎯 Acceptance Criteria

• File created at detection-rules/supply_chain_anomaly.kql
• Mapped to MITRE ATT&CK T1195 in rule metadata
• Detects supplier accounts accessing systems outside agreed integration patterns (time, endpoint, volume)
• Flags new or modified service principals and API keys from vendor tenants
• Monitors for lateral movement originating from supplier-associated IPs
• Severity set to High
• Unit test written in tests/detection-rules/test_kql_rules.py
• Documentation updated in docs/mitre-mapping.md
• PR reviewed and merged to dev

🔗 Related

• MITRE Technique: T1195 — Supply Chain Compromise
• Related files: sentinel/watchlists/retail-ioc-watchlist.csv, docs/threat-model.md
• Dependencies: Azure AD audit logs, third-party API gateway logs in Sentinel

📚 Resources

• NCSC supply chain security guidance
• M&S breach post-mortem analysis

[TFT444]

Assessment: completed-by-existing-code

detection-rules/retail/supply_chain_anomaly.kql (RS-SUP-001) is fully implemented and merged to dev. The rule covers 4 correlated signals: SupplierAdminAccess (supplier API key hitting admin endpoints), NewServicePrincipal (supplier account creating AAD service principals), UnauthorisedEndpointAccess (supplier accessing sensitive endpoints outside agreed spec), and MassDataExport (bulk record export ≥1000 records). Severity: High. File is at detection-rules/retail/supply_chain_anomaly.kql (PR #60).

---

Generated by Claude Code