Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User impersonation by Identity Protection alerts

User impersonation by Identity Protection alerts

Back
Id11c3d541-5fa5-49df-8218-d1c98584473b
RulenameUser impersonation by Identity Protection alerts
DescriptionThis detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user’s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
Required data connectorsAWS
AzureActiveDirectoryIdentityProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
Version1.0.0
Arm template11c3d541-5fa5-49df-8218-d1c98584473b.json
Deploy To Azure
// Retrieve SecurityAlerts generated within the last day
 SecurityAlert 
 // Filter alerts for Azure Active Directory Identity Protection and High severity
 | where ProductName has "Azure Active Directory Identity Protection"
 | where AlertSeverity == "High"
 // Extract IP address entities from the 'Entities' field
 | extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
 // Filter out alerts without IP address entities
 | where isnotempty(ipAddress)
 // Summarize entities per unique combination of attributes
 | summarize make_set(Entities)
     by
     AlertTime = TimeGenerated,
     ipAddress,
     AlertName,
     ProductName,
     AlertSeverity
 // Perform an inner join with AWS CloudTrail events
 | join kind=inner (
     AWSCloudTrail
     | where isempty(ErrorMessage)
     | extend UserType = tostring(parse_json(RequestParameters).userType) 
     | where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile") 
     | summarize
         make_set(RequestParameters),
         make_set(ResponseElements)
         by
         SourceIpAddress,
         UserIdentityArn,
         UserIdentityType,
         EventName,
         EventTime = TimeGenerated
     )
     on $left.ipAddress == $right.SourceIpAddress  
 // Filter results based on temporal correlation
 | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))

customDetails:
  AlertIp: ipAddress
  AlertName: AlertName
  AWSUser: UserIdentityArn
triggerOperator: gt
queryFrequency: 1d
description: |
    'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'
version: 1.0.0
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
- connectorId: AzureActiveDirectoryIdentityProtection
  dataTypes:
  - SecurityAlert (IPC)
queryPeriod: 1d
name: User impersonation by Identity Protection alerts
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
id: 11c3d541-5fa5-49df-8218-d1c98584473b
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
severity: Medium
entityMappings:
- fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
  entityType: IP
query: |
  // Retrieve SecurityAlerts generated within the last day
   SecurityAlert 
   // Filter alerts for Azure Active Directory Identity Protection and High severity
   | where ProductName has "Azure Active Directory Identity Protection"
   | where AlertSeverity == "High"
   // Extract IP address entities from the 'Entities' field
   | extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
   // Filter out alerts without IP address entities
   | where isnotempty(ipAddress)
   // Summarize entities per unique combination of attributes
   | summarize make_set(Entities)
       by
       AlertTime = TimeGenerated,
       ipAddress,
       AlertName,
       ProductName,
       AlertSeverity
   // Perform an inner join with AWS CloudTrail events
   | join kind=inner (
       AWSCloudTrail
       | where isempty(ErrorMessage)
       | extend UserType = tostring(parse_json(RequestParameters).userType) 
       | where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile") 
       | summarize
           make_set(RequestParameters),
           make_set(ResponseElements)
           by
           SourceIpAddress,
           UserIdentityArn,
           UserIdentityType,
           EventName,
           EventTime = TimeGenerated
       )
       on $left.ipAddress == $right.SourceIpAddress  
   // Filter results based on temporal correlation
   | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))  

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/11c3d541-5fa5-49df-8218-d1c98584473b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/11c3d541-5fa5-49df-8218-d1c98584473b')]",
      "properties": {
        "alertRuleTemplateName": "11c3d541-5fa5-49df-8218-d1c98584473b",
        "customDetails": {
          "AlertIp": "ipAddress",
          "AlertName": "AlertName",
          "AWSUser": "UserIdentityArn"
        },
        "description": "'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'\n",
        "displayName": "User impersonation by Identity Protection alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml",
        "query": "// Retrieve SecurityAlerts generated within the last day\n SecurityAlert \n // Filter alerts for Azure Active Directory Identity Protection and High severity\n | where ProductName has \"Azure Active Directory Identity Protection\"\n | where AlertSeverity == \"High\"\n // Extract IP address entities from the 'Entities' field\n | extend ipAddress = extract(@'\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b', 0, Entities)\n // Filter out alerts without IP address entities\n | where isnotempty(ipAddress)\n // Summarize entities per unique combination of attributes\n | summarize make_set(Entities)\n     by\n     AlertTime = TimeGenerated,\n     ipAddress,\n     AlertName,\n     ProductName,\n     AlertSeverity\n // Perform an inner join with AWS CloudTrail events\n | join kind=inner (\n     AWSCloudTrail\n     | where isempty(ErrorMessage)\n     | extend UserType = tostring(parse_json(RequestParameters).userType) \n     | where EventName in~ (\"CreateRole\", \"DeleteRole\", \"CreateUser\", \"CreateAccessKey\", \"DeleteAccessKey\", \"CreateGroup\", \"AddUserToGroup\", \"ChangePassword\", \"DeleteGroup\", \"DeleteUser\", \"RemoveUserFromGroup\", \"CreateVirtualMFADevice\", \"DeleteLoginProfile\") \n     | summarize\n         make_set(RequestParameters),\n         make_set(ResponseElements)\n         by\n         SourceIpAddress,\n         UserIdentityArn,\n         UserIdentityType,\n         EventName,\n         EventTime = TimeGenerated\n     )\n     on $left.ipAddress == $right.SourceIpAddress  \n // Filter results based on temporal correlation\n | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}