Merge branch 'master' into v-sabiraj-fixingsigninlogsworkbook

Hunting Queries/AuditLogs/AccountMFAModifications.yaml

@@ -0,0 +1,36 @@
+id: a3a09840-1022-4267-b9e1-d6c9799ed38a
+name: Account MFA Modifications
+description: |
+  'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
+tactics:
+  - DefenseEvasion
+  - Persistence
+relevantTechniques:
+  - T1556.006
+query: |
+  AuditLogs
+  | where Category =~ "UserManagement" 
+  | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
+  | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
+  | extend FromIP = tostring(InitiatedBy.user.ipAddress) 
+  | extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
+  | extend InitiatorID = tostring(InitiatedBy.user.id)
+  | summarize ModifiedAccounts = make_set(TargetUPN, 100), Start = min(TimeGenerated), End = max(TimeGenerated), Actions = make_set(OperationName, 10) by InitiatorID, InitiatorUPN, FromIP
+  | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: InitiatorID
+      - identifier: Name
+        columnName: InitiatorName
+      - identifier: UPNSuffix
+        columnName: InitiatorSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: FromIP

Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml

@@ -0,0 +1,77 @@
+id: aec77100-25c5-4254-a20a-8027ed92c46c
+name: Suspicious Sign In Followed by MFA Modification
+description: |
+  'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - BehaviorAnalytics
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+status: Available
+tactics:
+  - InitialAccess
+  - DefenseEvasion
+relevantTechniques:
+  - T1078.004
+  - T1556.006
+query: |
+  let PriorityScore = 9;
+  BehaviorAnalytics
+  | where ActionType == "Sign-in"
+  | where InvestigationPriority > PriorityScore
+  | extend UserPrincipalName = tolower(UserPrincipalName)
+  | extend LogOnTime = TimeGenerated
+  | join kind=inner (AuditLogs
+  | where Category =~ "UserManagement" 
+  | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
+  | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
+  | extend InitiatorID = tostring(InitiatedBy.user.id)
+  | extend FromIP = tostring(InitiatedBy.user.ipAddress) 
+  | extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
+  | extend TargetId = tostring(TargetResources[0].id)
+  | extend MFAModTime = TimeGenerated
+  | where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
+  | where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
+  | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetSuffix = tostring(split(TargetUPN, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: InitiatorID
+      - identifier: Name
+        columnName: InitiatorName
+      - identifier: UPNSuffix
+        columnName: InitiatorSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: TargetId
+      - identifier: Name
+        columnName: TargetName
+      - identifier: UPNSuffix
+        columnName: TargetSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: FromIP
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+alertDetailsOverride:
+  alertDisplayNameFormat: Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}
+  alertDescriptionFormat: |
+    This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
+    In this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.
+    The sign in was from {{SourceIPAddress}}.
+version: 1.0.0
+kind: Scheduled

Solutions/Azure Active Directory/Data/system_generated_metadata.json

@@ -4,10 +4,10 @@
   "Logo": "<img src=\"https://raw.githubusercontent.com/Azure/Azure-Sentinel/master/Workbooks/Images/Logos/azureactivedirectory_logo.svg\"width=\"75px\" height=\"75px\">",
   "Description": "The [ Azure Active Directory](https://docs.microsoft.com/azure/active-directory/fundamentals/active-directory-whatis)  solution for Microsoft Sentinel enables you to ingest Azure Active Directory [Audit](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-audit-logs), [Sign-in](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-sign-ins), [Provisioning](https://docs.microsoft.com/azure/active-directory/reports-monitoring/concept-provisioning-logs), [Risk Events and Risky User/Service Principal](https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk#risky-users) logs using Diagnostic Settings into Microsoft Sentinel.",
   "BasePath": "C:\\GitHub\\Azure-Sentinel",
-  "Version": "3.0.4",
   "Metadata": "SolutionMetadata.json",
   "TemplateSpec": true,
   "Is1PConnector": true,
+  "Version": "3.0.4",
   "publisherId": "azuresentinel",
   "offerId": "azure-sentinel-solution-azureactivedirectory",
   "providers": [

Solutions/Azure Active Directory/Package/createUiDefinition.json

@@ -51,30 +51,6 @@
       }
     ],
     "steps": [
-      {
-        "name": "dataconnectors",
-        "label": "Data Connectors",
-        "bladeTitle": "Data Connectors",
-        "elements": [
-          {
-            "name": "dataconnectors1-text",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "text": "This Solution installs the data connector for Azure Active Directory. You can get Azure Active Directory custom log data in your Microsoft Sentinel workspace. After installing the solution, configure and enable this data connector by following guidance in Manage solution view."
-            }
-          },
-          {
-            "name": "dataconnectors-link2",
-            "type": "Microsoft.Common.TextBlock",
-            "options": {
-              "link": {
-                "label": "Learn more about connecting data sources",
-                "uri": "https://docs.microsoft.com/azure/sentinel/connect-data-sources"
-              }
-            }
-          }
-        ]
-      },
       {
         "name": "workbooks",
         "label": "Workbooks",