Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious AAD Joined Device Update

Back
Id3a3c6835-0086-40ca-b033-a93bf26d878f
RulenameSuspicious AAD Joined Device Update
DescriptionThis query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.

This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.

Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf
SeverityMedium
TacticsCredentialAccess
TechniquesT1528
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml
Version1.0.1
Arm template3a3c6835-0086-40ca-b033-a93bf26d878f.json
Deploy To Azure
AuditLogs
| where OperationName =~ "Update device"
| mv-apply TargetResource=TargetResources on (
    where TargetResource.type =~ "Device"
    | extend ModifiedProperties = TargetResource.modifiedProperties
    | extend DeviceId = TargetResource.id)
| mv-apply Prop=ModifiedProperties on ( 
    where Prop.displayName =~ "CloudDisplayName"
    | extend OldName = Prop.oldValue 
    | extend NewName = Prop.newValue)
| mv-apply Prop=ModifiedProperties on ( 
    where Prop.displayName =~ "IsCompliant"
    | extend OldComplianceState = Prop.oldValue  
    | extend NewComplianceState = Prop.newValue)
| mv-apply Prop=ModifiedProperties on ( 
    where Prop.displayName =~ "TargetId.DeviceTrustType"
    | extend OldTrustType = Prop.oldValue  
    | extend NewTrustType = Prop.newValue)
| mv-apply Prop=ModifiedProperties on ( 
    where Prop.displayName =~ "Included Updated Properties" 
    | extend UpdatedProperties = Prop.newValue)
| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])
| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])
| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])
| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])
| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))
| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))
| where OldDeviceName != NewDeviceName
| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'
// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices
| where NewTrustType == '"AzureAd"' and OldTrustType != '"Workplace"'
// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be
| where UpdatedPropertiesCount > 1
| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount
triggerThreshold: 0
queryFrequency: 1d
relevantTechniques:
- T1528
tactics:
- CredentialAccess
id: 3a3c6835-0086-40ca-b033-a93bf26d878f
alertDetailsOverride:
  alertDescriptionFormat: |
    This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.
    In this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.
    This could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new  device.
    Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf    
  alertDisplayNameFormat: Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed
kind: Scheduled
triggerOperator: gt
severity: Medium
version: 1.0.1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
query: |
  AuditLogs
  | where OperationName =~ "Update device"
  | mv-apply TargetResource=TargetResources on (
      where TargetResource.type =~ "Device"
      | extend ModifiedProperties = TargetResource.modifiedProperties
      | extend DeviceId = TargetResource.id)
  | mv-apply Prop=ModifiedProperties on ( 
      where Prop.displayName =~ "CloudDisplayName"
      | extend OldName = Prop.oldValue 
      | extend NewName = Prop.newValue)
  | mv-apply Prop=ModifiedProperties on ( 
      where Prop.displayName =~ "IsCompliant"
      | extend OldComplianceState = Prop.oldValue  
      | extend NewComplianceState = Prop.newValue)
  | mv-apply Prop=ModifiedProperties on ( 
      where Prop.displayName =~ "TargetId.DeviceTrustType"
      | extend OldTrustType = Prop.oldValue  
      | extend NewTrustType = Prop.newValue)
  | mv-apply Prop=ModifiedProperties on ( 
      where Prop.displayName =~ "Included Updated Properties" 
      | extend UpdatedProperties = Prop.newValue)
  | extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])
  | extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])
  | extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])
  | extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])
  | extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))
  | extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))
  | where OldDeviceName != NewDeviceName
  | where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'
  // Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices
  | where NewTrustType == '"AzureAd"' and OldTrustType != '"Workplace"'
  // We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be
  | where UpdatedPropertiesCount > 1
  | project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount  
entityMappings:
- fieldMappings:
  - columnName: NewDeviceName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: OldDeviceName
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: DeviceId
    identifier: AzureID
  entityType: Host
- fieldMappings:
  - columnName: InitiatedByUser
    identifier: AadUserId
  entityType: Account
queryPeriod: 1d
name: Suspicious AAD Joined Device Update
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml
status: Available
description: |
  'This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.
  This could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.
  Ref: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3a3c6835-0086-40ca-b033-a93bf26d878f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3a3c6835-0086-40ca-b033-a93bf26d878f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Suspicious AAD Joined Device Update",
        "description": "'This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nThis could occur when a threat actor updates the details of an Autopilot provisioned device using a stolen device ticket, in order to access certificates and keys.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "AuditLogs\n| where OperationName =~ \"Update device\"\n| mv-apply TargetResource=TargetResources on (\n    where TargetResource.type =~ \"Device\"\n    | extend ModifiedProperties = TargetResource.modifiedProperties\n    | extend DeviceId = TargetResource.id)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"CloudDisplayName\"\n    | extend OldName = Prop.oldValue \n    | extend NewName = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"IsCompliant\"\n    | extend OldComplianceState = Prop.oldValue  \n    | extend NewComplianceState = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"TargetId.DeviceTrustType\"\n    | extend OldTrustType = Prop.oldValue  \n    | extend NewTrustType = Prop.newValue)\n| mv-apply Prop=ModifiedProperties on ( \n    where Prop.displayName =~ \"Included Updated Properties\" \n    | extend UpdatedProperties = Prop.newValue)\n| extend OldDeviceName = tostring(parse_json(tostring(OldName))[0])\n| extend NewDeviceName = tostring(parse_json(tostring(NewName))[0])\n| extend OldComplianceState = tostring(parse_json(tostring(OldComplianceState))[0])\n| extend NewComplianceState = tostring(parse_json(tostring(NewComplianceState))[0])\n| extend InitiatedByUser = tostring(iff(isnotempty(InitiatedBy.user.userPrincipalName),InitiatedBy.user.userPrincipalName, InitiatedBy.app.displayName))\n| extend UpdatedPropertiesCount = array_length(split(UpdatedProperties, ','))\n| where OldDeviceName != NewDeviceName\n| where OldComplianceState =~ 'true' and NewComplianceState =~ 'false'\n// Most common is transferring from AAD Registered to AAD Joined - we just want AAD Joined devices\n| where NewTrustType == '\"AzureAd\"' and OldTrustType != '\"Workplace\"'\n// We can modify this value to tune FPs - more properties changed about the device beyond its name the more suspicious it could be\n| where UpdatedPropertiesCount > 1\n| project-reorder TimeGenerated, DeviceId, NewDeviceName, OldDeviceName, NewComplianceState, InitiatedByUser, AADOperationType, OldTrustType, NewTrustType, UpdatedProperties, UpdatedPropertiesCount\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess"
        ],
        "techniques": [
          "T1528"
        ],
        "alertRuleTemplateName": "3a3c6835-0086-40ca-b033-a93bf26d878f",
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This query looks for suspicious updates to an Azure AD joined device where the device name is changed and the device falls out of compliance.\nIn this case {{OldDeviceName}} was renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties were changed.\nThis could occur when a threat actor steals a Device ticket from an Autopilot provisioned device and uses it to AAD Join a new  device.\nRef: https://dirkjanm.io/assets/raw/Insomnihack%20Breaking%20and%20fixing%20Azure%20AD%20device%20identity%20security.pdf\n",
          "alertDisplayNameFormat": "Suspicious AAD Joined Device Update {{OldDeviceName}} renamed to {{NewDeviceName}} and {{UpdatedPropertiesCount}} properties changed"
        },
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "NewDeviceName",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "OldDeviceName",
                "identifier": "HostName"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "DeviceId",
                "identifier": "AzureID"
              }
            ],
            "entityType": "Host"
          },
          {
            "fieldMappings": [
              {
                "columnName": "InitiatedByUser",
                "identifier": "AadUserId"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/SuspiciousAADJoinedDeviceUpdate.yaml",
        "status": "Available"
      }
    }
  ]
}