Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NRT Authentication Methods Changed for VIP Users

Back
Id29e99017-e28d-47be-8b9a-c8c711f8a903
RulenameNRT Authentication Methods Changed for VIP Users
DescriptionIdentifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
Version1.0.0
Arm template29e99017-e28d-47be-8b9a-c8c711f8a903.json
Deploy To Azure
let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
AuditLogs
| where Category =~ "UserManagement"
| where ActivityDisplayName in (security_info_actions)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| extend IP = tostring(InitiatedBy.user.ipAddress)
| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))
| where Target in (VIPUsers)
| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target
version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
entityMappings:
- fieldMappings:
  - columnName: Targets
    identifier: FullName
  entityType: Account
- fieldMappings:
  - columnName: IP
    identifier: Address
  entityType: IP
kind: NRT
id: 29e99017-e28d-47be-8b9a-c8c711f8a903
severity: Medium
query: |
  let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
  AuditLogs
  | where Category =~ "UserManagement"
  | where ActivityDisplayName in (security_info_actions)
  | extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
  | extend IP = tostring(InitiatedBy.user.ipAddress)
  | extend Target = tolower(tostring(TargetResources[0].userPrincipalName))
  | where Target in (VIPUsers)
  | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target  
tags:
- AADSecOpsGuide
description: |
    'Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.'
name: NRT Authentication Methods Changed for VIP Users
relevantTechniques:
- T1098
tactics:
- Persistence
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e99017-e28d-47be-8b9a-c8c711f8a903')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e99017-e28d-47be-8b9a-c8c711f8a903')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Nrt",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "NRT Authentication Methods Changed for VIP Users",
        "description": "'Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct [\"User Principal Name\"]);\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| extend Target = tolower(tostring(TargetResources[0].userPrincipalName))\n| where Target in (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "alertRuleTemplateName": "29e99017-e28d-47be-8b9a-c8c711f8a903",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Targets"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IP"
              }
            ]
          }
        ],
        "templateVersion": "1.0.0",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/NRT_AuthenticationMethodsChangedforVIPUsers.yaml",
        "tags": [
          "AADSecOpsGuide"
        ]
      }
    }
  ]
}