Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

User impersonation by Identity Protection alerts

Back
Id11c3d541-5fa5-49df-8218-d1c98584473b
RulenameUser impersonation by Identity Protection alerts
DescriptionThis detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user’s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
Required data connectorsAWS
AzureActiveDirectoryIdentityProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
Version1.0.0
Arm template11c3d541-5fa5-49df-8218-d1c98584473b.json
Deploy To Azure
// Retrieve SecurityAlerts generated within the last day
 SecurityAlert 
 // Filter alerts for Azure Active Directory Identity Protection and High severity
 | where ProductName has "Azure Active Directory Identity Protection"
 | where AlertSeverity == "High"
 // Extract IP address entities from the 'Entities' field
 | extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
 // Filter out alerts without IP address entities
 | where isnotempty(ipAddress)
 // Summarize entities per unique combination of attributes
 | summarize make_set(Entities)
     by
     AlertTime = TimeGenerated,
     ipAddress,
     AlertName,
     ProductName,
     AlertSeverity
 // Perform an inner join with AWS CloudTrail events
 | join kind=inner (
     AWSCloudTrail
     | where isempty(ErrorMessage)
     | extend UserType = tostring(parse_json(RequestParameters).userType) 
     | where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile") 
     | summarize
         make_set(RequestParameters),
         make_set(ResponseElements)
         by
         SourceIpAddress,
         UserIdentityArn,
         UserIdentityType,
         EventName,
         EventTime = TimeGenerated
     )
     on $left.ipAddress == $right.SourceIpAddress  
 // Filter results based on temporal correlation
 | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))
kind: Scheduled
relevantTechniques:
- T1134
description: |
    'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'
queryPeriod: 1d
queryFrequency: 1d
tactics:
- PrivilegeEscalation
name: User impersonation by Identity Protection alerts
requiredDataConnectors:
- connectorId: AWS
  dataTypes:
  - AWSCloudTrail
- connectorId: AzureActiveDirectoryIdentityProtection
  dataTypes:
  - SecurityAlert (IPC)
customDetails:
  AlertName: AlertName
  AWSUser: UserIdentityArn
  AlertIp: ipAddress
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIpAddress
triggerThreshold: 0
version: 1.0.0
id: 11c3d541-5fa5-49df-8218-d1c98584473b
query: |
  // Retrieve SecurityAlerts generated within the last day
   SecurityAlert 
   // Filter alerts for Azure Active Directory Identity Protection and High severity
   | where ProductName has "Azure Active Directory Identity Protection"
   | where AlertSeverity == "High"
   // Extract IP address entities from the 'Entities' field
   | extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
   // Filter out alerts without IP address entities
   | where isnotempty(ipAddress)
   // Summarize entities per unique combination of attributes
   | summarize make_set(Entities)
       by
       AlertTime = TimeGenerated,
       ipAddress,
       AlertName,
       ProductName,
       AlertSeverity
   // Perform an inner join with AWS CloudTrail events
   | join kind=inner (
       AWSCloudTrail
       | where isempty(ErrorMessage)
       | extend UserType = tostring(parse_json(RequestParameters).userType) 
       | where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile") 
       | summarize
           make_set(RequestParameters),
           make_set(ResponseElements)
           by
           SourceIpAddress,
           UserIdentityArn,
           UserIdentityType,
           EventName,
           EventTime = TimeGenerated
       )
       on $left.ipAddress == $right.SourceIpAddress  
   // Filter results based on temporal correlation
   | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/11c3d541-5fa5-49df-8218-d1c98584473b')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/11c3d541-5fa5-49df-8218-d1c98584473b')]",
      "properties": {
        "alertRuleTemplateName": "11c3d541-5fa5-49df-8218-d1c98584473b",
        "customDetails": {
          "AlertIp": "ipAddress",
          "AlertName": "AlertName",
          "AWSUser": "UserIdentityArn"
        },
        "description": "'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'\n",
        "displayName": "User impersonation by Identity Protection alerts",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIpAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml",
        "query": "// Retrieve SecurityAlerts generated within the last day\n SecurityAlert \n // Filter alerts for Azure Active Directory Identity Protection and High severity\n | where ProductName has \"Azure Active Directory Identity Protection\"\n | where AlertSeverity == \"High\"\n // Extract IP address entities from the 'Entities' field\n | extend ipAddress = extract(@'\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b', 0, Entities)\n // Filter out alerts without IP address entities\n | where isnotempty(ipAddress)\n // Summarize entities per unique combination of attributes\n | summarize make_set(Entities)\n     by\n     AlertTime = TimeGenerated,\n     ipAddress,\n     AlertName,\n     ProductName,\n     AlertSeverity\n // Perform an inner join with AWS CloudTrail events\n | join kind=inner (\n     AWSCloudTrail\n     | where isempty(ErrorMessage)\n     | extend UserType = tostring(parse_json(RequestParameters).userType) \n     | where EventName in~ (\"CreateRole\", \"DeleteRole\", \"CreateUser\", \"CreateAccessKey\", \"DeleteAccessKey\", \"CreateGroup\", \"AddUserToGroup\", \"ChangePassword\", \"DeleteGroup\", \"DeleteUser\", \"RemoveUserFromGroup\", \"CreateVirtualMFADevice\", \"DeleteLoginProfile\") \n     | summarize\n         make_set(RequestParameters),\n         make_set(ResponseElements)\n         by\n         SourceIpAddress,\n         UserIdentityArn,\n         UserIdentityType,\n         EventName,\n         EventTime = TimeGenerated\n     )\n     on $left.ipAddress == $right.SourceIpAddress  \n // Filter results based on temporal correlation\n | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1134"
        ],
        "templateVersion": "1.0.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}