diff --git a/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup copy.yaml b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup copy.yaml new file mode 100644 index 00000000000..1ac7d527afa --- /dev/null +++ b/Hunting Queries/AuditLogs/AccountAddedtoPrivilegedPIMGroup copy.yaml @@ -0,0 +1,36 @@ +id: a3a09840-1022-4267-b9e1-d6c9799ed38a +name: Account MFA Modifications +description: | + 'Identifies modifications to user's MFA settings. An attacker could use access to modify MFA settings to bypass MFA requirements or maintain persistence. +requiredDataConnectors: + - connectorId: AzureActiveDirectory + dataTypes: + - AuditLogs +tactics: + - DefenseEvasion + - Persistence +relevantTechniques: + - T1556.006 +query: | + AuditLogs + | where Category =~ "UserManagement" + | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") + | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName)) + | extend FromIP = tostring(InitiatedBy.user.ipAddress) + | extend TargetUPN = tostring(TargetResources[0].userPrincipalName) + | extend InitiatorID = tostring(InitiatedBy.user.id) + | summarize ModifiedAccounts = make_set(TargetUPN, 100), Start = min(TimeGenerated), End = max(TimeGenerated), Actions = make_set(OperationName, 10) by InitiatorID, InitiatorUPN, FromIP + | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1]) +entityMappings: + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatorID + - identifier: Name + columnName: InitiatorName + - identifier: UPNSuffix + columnName: InitiatorSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: FromIP diff --git a/Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml b/Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml new file mode 100644 index 00000000000..672e64ca1e7 --- /dev/null +++ b/Solutions/Azure Active Directory/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml @@ -0,0 +1,77 @@ +id: aec77100-25c5-4254-a20a-8027ed92c46c +name: Suspicious Sign In Followed by MFA Modification +description: | + 'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.' +severity: Medium +requiredDataConnectors: + - connectorId: AzureActiveDirectory + dataTypes: + - AuditLogs + - connectorId: BehaviorAnalytics + dataTypes: + - BehaviorAnalytics +queryFrequency: 1d +queryPeriod: 1d +triggerOperator: gt +triggerThreshold: 0 +eventGroupingSettings: + aggregationKind: AlertPerResult +status: Available +tactics: + - InitialAccess + - DefenseEvasion +relevantTechniques: + - T1078.004 + - T1556.006 +query: | + let PriorityScore = 9; + BehaviorAnalytics + | where ActionType == "Sign-in" + | where InvestigationPriority > PriorityScore + | extend UserPrincipalName = tolower(UserPrincipalName) + | extend LogOnTime = TimeGenerated + | join kind=inner (AuditLogs + | where Category =~ "UserManagement" + | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") + | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName)) + | extend InitiatorID = tostring(InitiatedBy.user.id) + | extend FromIP = tostring(InitiatedBy.user.ipAddress) + | extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName)) + | extend TargetId = tostring(TargetResources[0].id) + | extend MFAModTime = TimeGenerated + | where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN + | where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h)) + | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetSuffix = tostring(split(TargetUPN, "@")[1]) +entityMappings: + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: InitiatorID + - identifier: Name + columnName: InitiatorName + - identifier: UPNSuffix + columnName: InitiatorSuffix + - entityType: Account + fieldMappings: + - identifier: AadUserId + columnName: TargetId + - identifier: Name + columnName: TargetName + - identifier: UPNSuffix + columnName: TargetSuffix + - entityType: IP + fieldMappings: + - identifier: Address + columnName: FromIP + - entityType: IP + fieldMappings: + - identifier: Address + columnName: SourceIPAddress +alertDetailsOverride: + alertDisplayNameFormat: Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}} + alertDescriptionFormat: | + This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user. + In this case {{InitiatorUPN}} logged in at {{LogOnTime}} followed by a modification to MFA settings for {{TargetUPN}}. + The sign in was from {{SourceIPAddress}} and the MFA modification was made from {{FromIP}}. +version: 1.0.0 +kind: Scheduled \ No newline at end of file