Risky user signin observed in non-Microsoft network device
| Id | 042f2801-a375-4cfd-bd29-041fc7ed88a0 |
| Rulename | Risky user signin observed in non-Microsoft network device |
| Description | This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices. |
| Severity | Medium |
| Tactics | CommandAndControl |
| Techniques | T1071 |
| Required data connectors | AzureActiveDirectory CheckPoint Fortinet PaloAltoNetworks Zscaler |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml |
| Version | 1.0.5 |
| Arm template | 042f2801-a375-4cfd-bd29-041fc7ed88a0.json |
SigninLogs
//Find risky Signin
| where RiskState == "atRisk" and ResultType == 0
| extend Signin_Time = TimeGenerated
| summarize
AppDisplayName=make_set(AppDisplayName),
ClientAppUsed=make_set(ClientAppUsed),
UserAgent=make_set(UserAgent),
CorrelationId=make_set(CorrelationId),
Signin_Time= min(Signin_Time),
RiskEventTypes=make_set(RiskEventTypes)
by
ConditionalAccessStatus,
IPAddress,
IsRisky,
ResourceDisplayName,
RiskDetail,
ResultType,
RiskLevelAggregated,
RiskLevelDuringSignIn,
RiskState,
UserPrincipalName=tostring(tolower(UserPrincipalName)),
SourceSystem
| join kind=inner (
CommonSecurityLog
| where DeviceVendor has_any ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
| where DeviceProduct startswith "FortiGate" or DeviceProduct startswith "PAN" or DeviceProduct startswith "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith "NSSWeblog" or DeviceProduct startswith "URL"
| where DeviceAction != "Block"
| where isnotempty(RequestURL)
| where isnotempty(SourceUserName)
| extend SourceUserName = tolower(SourceUserName)
| summarize
min(TimeGenerated),
max(TimeGenerated),
Activity=make_set(Activity)
by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct
| extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,"@")[0]),UPNSuffix =tostring(split(SourceUserName,"@")[1]))
on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName
| extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)
| where Timediff <= 1 and Timediff >= 0
id: 042f2801-a375-4cfd-bd29-041fc7ed88a0
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: PaloAltoNetworks
dataTypes:
- CommonSecurityLog (PaloAlto)
- connectorId: Fortinet
dataTypes:
- CommonSecurityLog (Fortinet)
- connectorId: CheckPoint
dataTypes:
- CommonSecurityLog (CheckPoint)
- connectorId: Zscaler
dataTypes:
- CommonSecurityLog (Zscaler)
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml
severity: Medium
description: |
'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'
relevantTechniques:
- T1071
tactics:
- CommandAndControl
triggerThreshold: 0
kind: Scheduled
query: |2
SigninLogs
//Find risky Signin
| where RiskState == "atRisk" and ResultType == 0
| extend Signin_Time = TimeGenerated
| summarize
AppDisplayName=make_set(AppDisplayName),
ClientAppUsed=make_set(ClientAppUsed),
UserAgent=make_set(UserAgent),
CorrelationId=make_set(CorrelationId),
Signin_Time= min(Signin_Time),
RiskEventTypes=make_set(RiskEventTypes)
by
ConditionalAccessStatus,
IPAddress,
IsRisky,
ResourceDisplayName,
RiskDetail,
ResultType,
RiskLevelAggregated,
RiskLevelDuringSignIn,
RiskState,
UserPrincipalName=tostring(tolower(UserPrincipalName)),
SourceSystem
| join kind=inner (
CommonSecurityLog
| where DeviceVendor has_any ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
| where DeviceProduct startswith "FortiGate" or DeviceProduct startswith "PAN" or DeviceProduct startswith "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith "NSSWeblog" or DeviceProduct startswith "URL"
| where DeviceAction != "Block"
| where isnotempty(RequestURL)
| where isnotempty(SourceUserName)
| extend SourceUserName = tolower(SourceUserName)
| summarize
min(TimeGenerated),
max(TimeGenerated),
Activity=make_set(Activity)
by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct
| extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,"@")[0]),UPNSuffix =tostring(split(SourceUserName,"@")[1]))
on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName
| extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)
| where Timediff <= 1 and Timediff >= 0
name: Risky user signin observed in non-Microsoft network device
version: 1.0.5
queryFrequency: 1d
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
entityType: Account
- fieldMappings:
- identifier: Address
columnName: DestinationIP
entityType: IP
- fieldMappings:
- identifier: DomainName
columnName: DestinationHostName
entityType: DNS
triggerOperator: gt
metadata:
source:
kind: Community
author:
name: Arjun Trivedi
support:
tier: Community
categories:
domains:
- Security - Threat Protection
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/042f2801-a375-4cfd-bd29-041fc7ed88a0')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/042f2801-a375-4cfd-bd29-041fc7ed88a0')]",
"properties": {
"alertRuleTemplateName": "042f2801-a375-4cfd-bd29-041fc7ed88a0",
"customDetails": null,
"description": "'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'\n",
"displayName": "Risky user signin observed in non-Microsoft network device",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "Name",
"identifier": "Name"
},
{
"columnName": "UPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "DestinationIP",
"identifier": "Address"
}
]
},
{
"entityType": "DNS",
"fieldMappings": [
{
"columnName": "DestinationHostName",
"identifier": "DomainName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml",
"query": "\nSigninLogs\n//Find risky Signin\n| where RiskState == \"atRisk\" and ResultType == 0\n| extend Signin_Time = TimeGenerated\n| summarize\n AppDisplayName=make_set(AppDisplayName),\n ClientAppUsed=make_set(ClientAppUsed),\n UserAgent=make_set(UserAgent),\n CorrelationId=make_set(CorrelationId),\n Signin_Time= min(Signin_Time),\n RiskEventTypes=make_set(RiskEventTypes)\n by\n ConditionalAccessStatus,\n IPAddress,\n IsRisky,\n ResourceDisplayName,\n RiskDetail,\n ResultType,\n RiskLevelAggregated,\n RiskLevelDuringSignIn,\n RiskState,\n UserPrincipalName=tostring(tolower(UserPrincipalName)),\n SourceSystem\n| join kind=inner (\n CommonSecurityLog\n | where DeviceVendor has_any (\"Palo Alto Networks\", \"Fortinet\", \"Check Point\", \"Zscaler\")\n | where DeviceProduct startswith \"FortiGate\" or DeviceProduct startswith \"PAN\" or DeviceProduct startswith \"VPN\" or DeviceProduct startswith \"FireWall\" or DeviceProduct startswith \"NSSWeblog\" or DeviceProduct startswith \"URL\"\n | where DeviceAction != \"Block\"\n | where isnotempty(RequestURL)\n | where isnotempty(SourceUserName)\n | extend SourceUserName = tolower(SourceUserName)\n | summarize\n min(TimeGenerated),\n max(TimeGenerated),\n Activity=make_set(Activity)\n by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct\n | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,\"@\")[0]),UPNSuffix =tostring(split(SourceUserName,\"@\")[1]))\n on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName\n| extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)\n| where Timediff <= 1 and Timediff >= 0\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CommandAndControl"
],
"techniques": [
"T1071"
],
"templateVersion": "1.0.5",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}