User impersonation by Identity Protection alerts
Id | 11c3d541-5fa5-49df-8218-d1c98584473b |
Rulename | User impersonation by Identity Protection alerts |
Description | This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user’s IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation. |
Severity | Medium |
Tactics | PrivilegeEscalation |
Techniques | T1134 |
Required data connectors | AWS AzureActiveDirectoryIdentityProtection |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml |
Version | 1.0.0 |
Arm template | 11c3d541-5fa5-49df-8218-d1c98584473b.json |
// Retrieve SecurityAlerts generated within the last day
SecurityAlert
// Filter alerts for Azure Active Directory Identity Protection and High severity
| where ProductName has "Azure Active Directory Identity Protection"
| where AlertSeverity == "High"
// Extract IP address entities from the 'Entities' field
| extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
// Filter out alerts without IP address entities
| where isnotempty(ipAddress)
// Summarize entities per unique combination of attributes
| summarize make_set(Entities)
by
AlertTime = TimeGenerated,
ipAddress,
AlertName,
ProductName,
AlertSeverity
// Perform an inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| extend UserType = tostring(parse_json(RequestParameters).userType)
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile")
| summarize
make_set(RequestParameters),
make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime = TimeGenerated
)
on $left.ipAddress == $right.SourceIpAddress
// Filter results based on temporal correlation
| where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))
kind: Scheduled
relevantTechniques:
- T1134
description: |
'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'
queryPeriod: 1d
queryFrequency: 1d
tactics:
- PrivilegeEscalation
name: User impersonation by Identity Protection alerts
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectoryIdentityProtection
dataTypes:
- SecurityAlert (IPC)
customDetails:
AlertName: AlertName
AWSUser: UserIdentityArn
AlertIp: ipAddress
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIpAddress
triggerThreshold: 0
version: 1.0.0
id: 11c3d541-5fa5-49df-8218-d1c98584473b
query: |
// Retrieve SecurityAlerts generated within the last day
SecurityAlert
// Filter alerts for Azure Active Directory Identity Protection and High severity
| where ProductName has "Azure Active Directory Identity Protection"
| where AlertSeverity == "High"
// Extract IP address entities from the 'Entities' field
| extend ipAddress = extract(@'\b(?:\d{1,3}\.){3}\d{1,3}\b', 0, Entities)
// Filter out alerts without IP address entities
| where isnotempty(ipAddress)
// Summarize entities per unique combination of attributes
| summarize make_set(Entities)
by
AlertTime = TimeGenerated,
ipAddress,
AlertName,
ProductName,
AlertSeverity
// Perform an inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| extend UserType = tostring(parse_json(RequestParameters).userType)
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile")
| summarize
make_set(RequestParameters),
make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime = TimeGenerated
)
on $left.ipAddress == $right.SourceIpAddress
// Filter results based on temporal correlation
| where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml
severity: Medium
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/11c3d541-5fa5-49df-8218-d1c98584473b')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/11c3d541-5fa5-49df-8218-d1c98584473b')]",
"properties": {
"alertRuleTemplateName": "11c3d541-5fa5-49df-8218-d1c98584473b",
"customDetails": {
"AlertIp": "ipAddress",
"AlertName": "AlertName",
"AWSUser": "UserIdentityArn"
},
"description": "'This detection focuses on identifying user-related events involving IAM roles, groups, user access, and password changes. It examines instances where the user's IP address matches and alerts generated by Identity Protection share the same IP address. The analysis occurs within a time window of 1 hour, helping to flag potential cases of user impersonation.'\n",
"displayName": "User impersonation by Identity Protection alerts",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByAAID.yaml",
"query": "// Retrieve SecurityAlerts generated within the last day\n SecurityAlert \n // Filter alerts for Azure Active Directory Identity Protection and High severity\n | where ProductName has \"Azure Active Directory Identity Protection\"\n | where AlertSeverity == \"High\"\n // Extract IP address entities from the 'Entities' field\n | extend ipAddress = extract(@'\\b(?:\\d{1,3}\\.){3}\\d{1,3}\\b', 0, Entities)\n // Filter out alerts without IP address entities\n | where isnotempty(ipAddress)\n // Summarize entities per unique combination of attributes\n | summarize make_set(Entities)\n by\n AlertTime = TimeGenerated,\n ipAddress,\n AlertName,\n ProductName,\n AlertSeverity\n // Perform an inner join with AWS CloudTrail events\n | join kind=inner (\n AWSCloudTrail\n | where isempty(ErrorMessage)\n | extend UserType = tostring(parse_json(RequestParameters).userType) \n | where EventName in~ (\"CreateRole\", \"DeleteRole\", \"CreateUser\", \"CreateAccessKey\", \"DeleteAccessKey\", \"CreateGroup\", \"AddUserToGroup\", \"ChangePassword\", \"DeleteGroup\", \"DeleteUser\", \"RemoveUserFromGroup\", \"CreateVirtualMFADevice\", \"DeleteLoginProfile\") \n | summarize\n make_set(RequestParameters),\n make_set(ResponseElements)\n by\n SourceIpAddress,\n UserIdentityArn,\n UserIdentityType,\n EventName,\n EventTime = TimeGenerated\n )\n on $left.ipAddress == $right.SourceIpAddress \n // Filter results based on temporal correlation\n | where AlertTime between ((EventTime - 1h) .. (EventTime + 1h))\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1134"
],
"templateVersion": "1.0.0",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}