Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

NRT Authentication Methods Changed for VIP Users

Back
Id29e99017-e28d-47be-8b9a-c8c711f8a903
RulenameNRT Authentication Methods Changed for VIP Users
DescriptionIdentifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.
SeverityMedium
TacticsPersistence
TechniquesT1098
Required data connectorsAzureActiveDirectory
KindNRT
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
Version1.0.1
Arm template29e99017-e28d-47be-8b9a-c8c711f8a903.json
Deploy To Azure
let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
AuditLogs
| where Category =~ "UserManagement"
| where ActivityDisplayName in (security_info_actions)
| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
| extend IP = tostring(InitiatedBy.user.ipAddress)
| mv-apply TargetResource = TargetResources on 
  (
      where TargetResource.type =~ "User"
      | extend Target = trim(@'"',tolower(tostring(TargetResource.userPrincipalName)))
  )
| where Target in~ (VIPUsers)
| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target
| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
name: NRT Authentication Methods Changed for VIP Users
tags:
- AADSecOpsGuide
id: 29e99017-e28d-47be-8b9a-c8c711f8a903
description: |
    'Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.'
severity: Medium
query: |
  let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
  AuditLogs
  | where Category =~ "UserManagement"
  | where ActivityDisplayName in (security_info_actions)
  | extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
  | extend IP = tostring(InitiatedBy.user.ipAddress)
  | mv-apply TargetResource = TargetResources on 
    (
        where TargetResource.type =~ "User"
        | extend Target = trim(@'"',tolower(tostring(TargetResource.userPrincipalName)))
    )
  | where Target in~ (VIPUsers)
  | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target
  | extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])  
version: 1.0.1
kind: NRT
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Name
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IP
relevantTechniques:
- T1098
tactics:
- Persistence
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/29e99017-e28d-47be-8b9a-c8c711f8a903')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/29e99017-e28d-47be-8b9a-c8c711f8a903')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "NRT",
      "apiVersion": "2022-11-01-preview",
      "properties": {
        "displayName": "NRT Authentication Methods Changed for VIP Users",
        "description": "'Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let security_info_actions = dynamic([\"User registered security info\", \"User changed default security info\", \"User deleted security info\", \"Admin updated security info\", \"User reviewed security info\", \"Admin deleted security info\", \"Admin registered security info\"]);\nlet VIPUsers = (_GetWatchlist('VIPUsers') | distinct [\"User Principal Name\"]);\nAuditLogs\n| where Category =~ \"UserManagement\"\n| where ActivityDisplayName in (security_info_actions)\n| extend Initiator = tostring(InitiatedBy.user.userPrincipalName)\n| extend IP = tostring(InitiatedBy.user.ipAddress)\n| mv-apply TargetResource = TargetResources on \n  (\n      where TargetResource.type =~ \"User\"\n      | extend Target = trim(@'\"',tolower(tostring(TargetResource.userPrincipalName)))\n  )\n| where Target in~ (VIPUsers)\n| summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target\n| extend Name = tostring(split(Target,'@',0)[0]), UPNSuffix = tostring(split(Target,'@',1)[0])\n",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Persistence"
        ],
        "techniques": [
          "T1098"
        ],
        "alertRuleTemplateName": "29e99017-e28d-47be-8b9a-c8c711f8a903",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "Name",
                "columnName": "Name"
              },
              {
                "identifier": "UPNSuffix",
                "columnName": "UPNSuffix"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IP"
              }
            ],
            "entityType": "IP"
          }
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/NRT_AuthenticationMethodsChangedforVIPUsers.yaml"
      }
    }
  ]
}