Added MFA Registartion Queries

Azure · Oct 4, 2023 · c117ef9 · c117ef9
1 parent 6580195
commit c117ef9
Show file tree

Hide file tree

Showing 2 changed files with 113 additions and 0 deletions.
diff --git a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup copy.yaml b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup copy.yaml
@@ -0,0 +1,36 @@
+id: a3a09840-1022-4267-b9e1-d6c9799ed38a
+name: Account MFA Modifications
+description: |
+  'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence.
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
+tactics:
+  - DefenseEvasion
+  - Persistence
+relevantTechniques:
+  - T1556.006
+query: |
+  AuditLogs
+  | where Category =~ "UserManagement" 
+  | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
+  | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
+  | extend FromIP = tostring(InitiatedBy.user.ipAddress) 
+  | extend TargetUPN = tostring(TargetResources[0].userPrincipalName)
+  | extend InitiatorID = tostring(InitiatedBy.user.id)
+  | summarize ModifiedAccounts = make_set(TargetUPN, 100), Start = min(TimeGenerated), End = max(TimeGenerated), Actions = make_set(OperationName, 10) by InitiatorID, InitiatorUPN, FromIP
+  | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: InitiatorID
+      - identifier: Name
+        columnName: InitiatorName
+      - identifier: UPNSuffix
+        columnName: InitiatorSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: FromIP
diff --git a/...ions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml b/...ions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml
@@ -0,0 +1,77 @@
+id: aec77100-25c5-4254-a20a-8027ed92c46c
+name: Suspicious Sign In Followed by MFA Modification
+description: |
+  'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
+  - connectorId: BehaviorAnalytics
+    dataTypes:
+      - BehaviorAnalytics
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+eventGroupingSettings:
+  aggregationKind: AlertPerResult
+status: Available
+tactics:
+  - InitialAccess
+  - DefenseEvasion
+relevantTechniques:
+  - T1078.004
+  - T1556.006
+query: |
+  let PriorityScore = 9;
+  BehaviorAnalytics
+  | where ActionType == "Sign-in"
+  | where InvestigationPriority > PriorityScore
+  | extend UserPrincipalName = tolower(UserPrincipalName)
+  | extend LogOnTime = TimeGenerated
+  | join kind=inner (AuditLogs
+  | where Category =~ "UserManagement" 
+  | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
+  | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
+  | extend InitiatorID = tostring(InitiatedBy.user.id)
+  | extend FromIP = tostring(InitiatedBy.user.ipAddress) 
+  | extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
+  | extend TargetId = tostring(TargetResources[0].id)
+  | extend MFAModTime = TimeGenerated
+  | where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
+  | where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
+  | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetSuffix = tostring(split(TargetUPN, "@")[1])
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: InitiatorID
+      - identifier: Name
+        columnName: InitiatorName
+      - identifier: UPNSuffix
+        columnName: InitiatorSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: TargetId
+      - identifier: Name
+        columnName: TargetName
+      - identifier: UPNSuffix
+        columnName: TargetSuffix
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: FromIP
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: SourceIPAddress
+alertDetailsOverride:
+  alertDisplayNameFormat: Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}
+  alertDescriptionFormat: |
+    This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
+    In this case {{InitiatorUPN}} logged in at {{LogOnTime}} followed by a modification to MFA settings for {{TargetUPN}}.
+    The sign in was from {{SourceIPAddress}} and the MFA modification was made from {{FromIP}}.
+version: 1.0.0
+kind: Scheduled