Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User impersonation by Identity Protection alerts

User impersonation by Identity Protection alerts

Back
Id11c3d541-5fa5-49df-8218-d1c98584473b
RulenameUser impersonation by Identity Protection alerts
DescriptionThis detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user’s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1134
Required data connectorsAWS
AzureActiveDirectoryIdentityProtection
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
Version1.0.0
Arm template11c3d541-5fa5-49df-8218-d1c98584473b.json
Deploy To Azure
// Retrieve SecurityAlerts generated within the last day
 SecurityAlert 
 // Filter alerts for Azure Active Directory Identity Protection and High severity
 | where ProductName has "Azure Active Directory Identity Protection"
 | where AlertSeverity == "High"
 // Extract IP address entities from the 'Entities' field
 | extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
 // Filter out alerts without IP address entities
 | where isnotempty(ipAddress)
 // Summarize entities per unique combination of attributes
 | summarize make_set(Entities)
     by
     AlertTime = TimeGenerated,
     ipAddress,
     AlertName,
     ProductName,
     AlertSeverity
 // Perform an inner join with AWS CloudTrail events
 | join kind=inner (
     AWSCloudTrail
     | where isempty(ErrorMessage)
     | extend UserType = tostring(parse_json(RequestParameters).userType) 
     | where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile") 
     | summarize
         make_set(RequestParameters),
         make_set(ResponseElements)
         by
         SourceIpAddress,
         UserIdentityArn,
         UserIdentityType,
         EventName,
         EventTime = TimeGenerated
     )
     on $left.ipAddress == $right.SourceIpAddress  
 // Filter results based on temporal correlation
 | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))

version: 1.0.0
id: 11c3d541-5fa5-49df-8218-d1c98584473b
kind: Scheduled
triggerThreshold: 0
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SourceIpAddress
    identifier: Address
query: |
  // Retrieve SecurityAlerts generated within the last day
   SecurityAlert 
   // Filter alerts for Azure Active Directory Identity Protection and High severity
   | where ProductName has "Azure Active Directory Identity Protection"
   | where AlertSeverity == "High"
   // Extract IP address entities from the 'Entities' field
   | extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
   // Filter out alerts without IP address entities
   | where isnotempty(ipAddress)
   // Summarize entities per unique combination of attributes
   | summarize make_set(Entities)
       by
       AlertTime = TimeGenerated,
       ipAddress,
       AlertName,
       ProductName,
       AlertSeverity
   // Perform an inner join with AWS CloudTrail events
   | join kind=inner (
       AWSCloudTrail
       | where isempty(ErrorMessage)
       | extend UserType = tostring(parse_json(RequestParameters).userType) 
       | where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile") 
       | summarize
           make_set(RequestParameters),
           make_set(ResponseElements)
           by
           SourceIpAddress,
           UserIdentityArn,
           UserIdentityType,
           EventName,
           EventTime = TimeGenerated
       )
       on $left.ipAddress == $right.SourceIpAddress  
   // Filter results based on temporal correlation
   | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))  
name: User impersonation by Identity Protection alerts
queryFrequency: 1d
requiredDataConnectors:
- dataTypes:
  - AWSCloudTrail
  connectorId: AWS
- dataTypes:
  - SecurityAlert (IPC)
  connectorId: AzureActiveDirectoryIdentityProtection
severity: Medium
relevantTechniques:
- T1134
customDetails:
  AWSUser: UserIdentityArn
  AlertIp: ipAddress
  AlertName: AlertName
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
description: |
    'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'
queryPeriod: 1d
tactics:
- PrivilegeEscalation
triggerOperator: gt