High-Risk Cross-Cloud User Impersonation
| Id | f4a28082-2808-4783-9736-33c1ae117475 |
| Rulename | High-Risk Cross-Cloud User Impersonation |
| Description | This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1134 T1078.002 T1078.004 |
| Required data connectors | AWS AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml |
| Version | 1.0.1 |
| Arm template | f4a28082-2808-4783-9736-33c1ae117475.json |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
severity: Medium
relevantTechniques:
- T1134
- T1078.002
- T1078.004
customDetails:
RiskEventTypes: RiskEventTypes
AzureUser: UserPrincipalName
AWSEventName: EventName
AwsUser: UserIdentityArn
queryFrequency: 1d
kind: Scheduled
version: 1.0.1
triggerOperator: gt
description: |
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
queryPeriod: 1d
id: f4a28082-2808-4783-9736-33c1ae117475
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIpAddress
identifier: Address
tactics:
- PrivilegeEscalation
name: High-Risk Cross-Cloud User Impersonation
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml
query: |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f4a28082-2808-4783-9736-33c1ae117475')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f4a28082-2808-4783-9736-33c1ae117475')]",
"properties": {
"alertRuleTemplateName": "f4a28082-2808-4783-9736-33c1ae117475",
"customDetails": {
"AWSEventName": "EventName",
"AwsUser": "UserIdentityArn",
"AzureUser": "UserPrincipalName",
"RiskEventTypes": "RiskEventTypes"
},
"description": "'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'\n",
"displayName": "High-Risk Cross-Cloud User Impersonation",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml",
"query": "// Retrieve Azure AD SigninLogs within the last day\nSigninLogs \n// Filter for specific AppDisplayNames, ResultType, and Risk Levels\n| where AppDisplayName in (\"Azure Portal\", \"ADFS Trust\", \"Microsoft Azure PowerShell\")\n and RiskLevelAggregated == \"high\"\n and RiskLevelDuringSignIn == \"high\"\n// Summarize AppDisplayNames by relevant attributes\n| extend Result = iff(ResultType == 0, \"Successful Signin\", \"Failed Signin\")\n| summarize make_set(AppDisplayName)\n by\n IPAddress,\n signInTime=TimeGenerated,\n UserPrincipalName,\n RiskEventTypes,\n RiskEventTypes_V2\n// Inner join with AWS CloudTrail events\n| join kind=inner (\n AWSCloudTrail\n | where isempty(ErrorMessage)\n | where EventSource in (\"iam.amazonaws.com\", \"identitystore.amazonaws.com\", \"workmail.amazonaws.com\", \"workdocs.amazonaws.com\")\n // List of AWS event names\n | where EventName in~ (\"CreateRole\", \"DeleteRole\", \"CreateUser\", \"CreateAccessKey\", \"DeleteAccessKey\", \"CreateGroup\", \"AddUserToGroup\", \"ChangePassword\", \"DeleteGroup\", \"DeleteUser\", \"RemoveUserFromGroup\", \"CreateVirtualMFADevice\", \"DeleteLoginProfile\", \"CreateOrganization\", \"SetDefaultMailDomain\", \"SetMailUserDetails\", \"CreateMailUser\", \"ResetPassword\", \"RegisterToWorkMail\", \"DisableMailUsers\", \"EnableMailUsers\", \"DeleteServiceSpecificCredential\", \"CreateServiceSpecificCredential\", \"UpdateAccountEmailAddress\", \"DeleteGroupPolicy\", \"UploadServerCertificate\") \n // Summarize relevant attributes\n | summarize make_set(RequestParameters), make_set(ResponseElements)\n by\n SourceIpAddress,\n UserIdentityArn,\n UserIdentityType,\n EventName,\n EventTime=TimeGenerated,\n EventSource\n )\n on $left.IPAddress == $right.SourceIpAddress \n// Calculate time difference in hours between AWS event and Azure sign-in\n| extend timedef = datetime_diff(\"hour\", EventTime, signInTime)\n// Filter for time differences within a certain range\n| where timedef between (0 .. 8)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078",
"T1134"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}