Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Insider Risk_Risky User Access By Application

Back
Id15386bba-dc70-463f-a09f-d392e7731c63
RulenameInsider Risk_Risky User Access By Application
DescriptionThis alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra ID Multi-Factor Authentication or password changes
SeverityMedium
TacticsExecution
TechniquesT1204
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency6h
Query period6h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml
Version1.1.4
Arm template15386bba-dc70-463f-a09f-d392e7731c63.json
Deploy To Azure
SigninLogs
| where RiskState == "atRisk"
| project UserPrincipalName, Location, AppDisplayName, RiskState
| evaluate basket(0.01) // Adjust & Tune Thresholds within Organzational Requirements
// | where Percent > 50 // Adjust & Tune Thresholds within Organzational Requirements
| where UserPrincipalName <> ""
| where AppDisplayName <> ""
| project Percent, UserPrincipalName, Location, AppDisplayName, RiskState
// | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey
| sort by Percent desc
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    groupByEntities:
    - Account
    matchingMethod: Selected
    lookbackDuration: 3d
    enabled: true
    reopenClosedIncident: true
relevantTechniques:
- T1204
description: |
    'This alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra ID Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)'
queryPeriod: 6h
queryFrequency: 6h
tactics:
- Execution
name: Insider Risk_Risky User Access By Application
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
triggerThreshold: 0
version: 1.1.4
id: 15386bba-dc70-463f-a09f-d392e7731c63
query: |
  SigninLogs
  | where RiskState == "atRisk"
  | project UserPrincipalName, Location, AppDisplayName, RiskState
  | evaluate basket(0.01) // Adjust & Tune Thresholds within Organzational Requirements
  // | where Percent > 50 // Adjust & Tune Thresholds within Organzational Requirements
  | where UserPrincipalName <> ""
  | where AppDisplayName <> ""
  | project Percent, UserPrincipalName, Location, AppDisplayName, RiskState
  // | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey
  | sort by Percent desc
  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])  
kind: Scheduled
eventGroupingSettings:
  aggregationKind: SingleAlert
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml
severity: Medium
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15386bba-dc70-463f-a09f-d392e7731c63')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15386bba-dc70-463f-a09f-d392e7731c63')]",
      "properties": {
        "alertRuleTemplateName": "15386bba-dc70-463f-a09f-d392e7731c63",
        "customDetails": null,
        "description": "'This alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra ID Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)'\n",
        "displayName": "Insider Risk_Risky User Access By Application",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "incidentConfiguration": {
          "createIncident": true,
          "groupingConfiguration": {
            "enabled": true,
            "groupByEntities": [
              "Account"
            ],
            "lookbackDuration": "P3D",
            "matchingMethod": "Selected",
            "reopenClosedIncident": true
          }
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml",
        "query": "SigninLogs\n| where RiskState == \"atRisk\"\n| project UserPrincipalName, Location, AppDisplayName, RiskState\n| evaluate basket(0.01) // Adjust & Tune Thresholds within Organzational Requirements\n// | where Percent > 50 // Adjust & Tune Thresholds within Organzational Requirements\n| where UserPrincipalName <> \"\"\n| where AppDisplayName <> \"\"\n| project Percent, UserPrincipalName, Location, AppDisplayName, RiskState\n// | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey\n| sort by Percent desc\n| extend AccountName = tostring(split(UserPrincipalName, \"@\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n",
        "queryFrequency": "PT6H",
        "queryPeriod": "PT6H",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Execution"
        ],
        "techniques": [
          "T1204"
        ],
        "templateVersion": "1.1.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}