Insider Risk_Risky User Access By Application
| Id | 15386bba-dc70-463f-a09f-d392e7731c63 |
| Rulename | Insider Risk_Risky User Access By Application |
| Description | This alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra ID Multi-Factor Authentication or password changes |
| Severity | Medium |
| Tactics | Execution |
| Techniques | T1204 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 6h |
| Query period | 6h |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml |
| Version | 1.1.4 |
| Arm template | 15386bba-dc70-463f-a09f-d392e7731c63.json |
SigninLogs
| where RiskState == "atRisk"
| project UserPrincipalName, Location, AppDisplayName, RiskState
| evaluate basket(0.01) // Adjust & Tune Thresholds within Organzational Requirements
// | where Percent > 50 // Adjust & Tune Thresholds within Organzational Requirements
| where UserPrincipalName <> ""
| where AppDisplayName <> ""
| project Percent, UserPrincipalName, Location, AppDisplayName, RiskState
// | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey
| sort by Percent desc
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
incidentConfiguration:
createIncident: true
groupingConfiguration:
lookbackDuration: 3d
enabled: true
groupByEntities:
- Account
matchingMethod: Selected
reopenClosedIncident: true
name: Insider Risk_Risky User Access By Application
id: 15386bba-dc70-463f-a09f-d392e7731c63
triggerThreshold: 0
severity: Medium
tactics:
- Execution
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml
entityMappings:
- entityType: Account
fieldMappings:
- columnName: UserPrincipalName
identifier: FullName
- columnName: AccountName
identifier: Name
- columnName: AccountUPNSuffix
identifier: UPNSuffix
queryPeriod: 6h
queryFrequency: 6h
version: 1.1.4
triggerOperator: gt
description: |
'This alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra ID Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)'
query: |
SigninLogs
| where RiskState == "atRisk"
| project UserPrincipalName, Location, AppDisplayName, RiskState
| evaluate basket(0.01) // Adjust & Tune Thresholds within Organzational Requirements
// | where Percent > 50 // Adjust & Tune Thresholds within Organzational Requirements
| where UserPrincipalName <> ""
| where AppDisplayName <> ""
| project Percent, UserPrincipalName, Location, AppDisplayName, RiskState
// | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey
| sort by Percent desc
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
relevantTechniques:
- T1204
requiredDataConnectors:
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
eventGroupingSettings:
aggregationKind: SingleAlert
kind: Scheduled
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/15386bba-dc70-463f-a09f-d392e7731c63')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/15386bba-dc70-463f-a09f-d392e7731c63')]",
"properties": {
"alertRuleTemplateName": "15386bba-dc70-463f-a09f-d392e7731c63",
"customDetails": null,
"description": "'This alert evaluates Microsoft Entra ID Sign in risk via Machine Learning correlations in the basket operator. The basket threshold is adjustable, and the default is set to .01. There is an optional configuration to configure the percentage rates. The correlations are designed to leverage machine learning to identify patterns of risky user application access. There is an option for configuration of correlations against Microsoft Sentinel watchlists. For more information, see [Tutorial: Use risk detections for user sign-ins to trigger Microsoft Entra ID Multi-Factor Authentication or password changes](https://docs.microsoft.com/azure/active-directory/authentication/tutorial-risk-based-sspr-mfa)'\n",
"displayName": "Insider Risk_Risky User Access By Application",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "AccountName",
"identifier": "Name"
},
{
"columnName": "AccountUPNSuffix",
"identifier": "UPNSuffix"
}
]
}
],
"eventGroupingSettings": {
"aggregationKind": "SingleAlert"
},
"incidentConfiguration": {
"createIncident": true,
"groupingConfiguration": {
"enabled": true,
"groupByEntities": [
"Account"
],
"lookbackDuration": "P3D",
"matchingMethod": "Selected",
"reopenClosedIncident": true
}
},
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/MicrosoftPurviewInsiderRiskManagement/Analytic Rules/InsiderRiskyAccessByApplication.yaml",
"query": "SigninLogs\n| where RiskState == \"atRisk\"\n| project UserPrincipalName, Location, AppDisplayName, RiskState\n| evaluate basket(0.01) // Adjust & Tune Thresholds within Organzational Requirements\n// | where Percent > 50 // Adjust & Tune Thresholds within Organzational Requirements\n| where UserPrincipalName <> \"\"\n| where AppDisplayName <> \"\"\n| project Percent, UserPrincipalName, Location, AppDisplayName, RiskState\n// | lookup kind=inner _GetWatchlist('<Your Watchlist Name>') on $left.UserPrincipalName == $right.SearchKey\n| sort by Percent desc\n| extend AccountName = tostring(split(UserPrincipalName, \"@\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n",
"queryFrequency": "PT6H",
"queryPeriod": "PT6H",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Execution"
],
"techniques": [
"T1204"
],
"templateVersion": "1.1.4",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}