Suspicious modification of Global Administrator user properties
| Id | 48602a24-67cf-4362-b258-3f4249e55def |
| Rulename | Suspicious modification of Global Administrator user properties |
| Description | This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties. Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml |
| Version | 1.0.1 |
| Arm template | 48602a24-67cf-4362-b258-3f4249e55def.json |
let lookback = 1d;
let GlobalAdmins = IdentityInfo
| where TimeGenerated > ago(lookback)
| extend IsGlobalAdmin = set_has_element(AssignedRoles, "Global Administrator")
| where IsGlobalAdmin == true
| distinct AccountUPN;
GlobalAdmins
| join kind=inner ( AuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName=~ "Update user"
| where Result =~ "success"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)
| where displayName_ == "UserPrincipalName" and oldValue_ !has "#EXT" and newValue_ has "#EXT"
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.["user"].["ipAddress"])
) on $left.AccountUPN == $right.oldValue_
| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_
queryFrequency: 1d
metadata:
author:
name: Ashwin Patil
source:
kind: Community
categories:
domains:
- Security - Others
- Identity
support:
tier: Community
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
' This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.
Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity'
relevantTechniques:
- T1078.004
name: Suspicious modification of Global Administrator user properties
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: Initiator
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: displayName_
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
tags:
- GuestorExternalIdentities
id: 48602a24-67cf-4362-b258-3f4249e55def
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
kind: Scheduled
query: |
let lookback = 1d;
let GlobalAdmins = IdentityInfo
| where TimeGenerated > ago(lookback)
| extend IsGlobalAdmin = set_has_element(AssignedRoles, "Global Administrator")
| where IsGlobalAdmin == true
| distinct AccountUPN;
GlobalAdmins
| join kind=inner ( AuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName=~ "Update user"
| where Result =~ "success"
| mv-expand TargetResources
| mv-expand TargetResources.modifiedProperties
| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)
| where displayName_ == "UserPrincipalName" and oldValue_ !has "#EXT" and newValue_ has "#EXT"
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.["user"].["ipAddress"])
) on $left.AccountUPN == $right.oldValue_
| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/48602a24-67cf-4362-b258-3f4249e55def')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/48602a24-67cf-4362-b258-3f4249e55def')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Suspicious modification of Global Administrator user properties",
"description": "' This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.\nInvestigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity'\n",
"severity": "Medium",
"enabled": true,
"query": "let lookback = 1d;\nlet GlobalAdmins = IdentityInfo\n| where TimeGenerated > ago(lookback)\n| extend IsGlobalAdmin = set_has_element(AssignedRoles, \"Global Administrator\")\n| where IsGlobalAdmin == true\n| distinct AccountUPN;\nGlobalAdmins\n| join kind=inner ( AuditLogs\n| where TimeGenerated > ago(lookback)\n| where OperationName=~ \"Update user\" \n| where Result =~ \"success\" \n| mv-expand TargetResources \n| mv-expand TargetResources.modifiedProperties \n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)\n| where displayName_ == \"UserPrincipalName\" and oldValue_ !has \"#EXT\" and newValue_ has \"#EXT\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.[\"user\"].[\"ipAddress\"])\n) on $left.AccountUPN == $right.oldValue_\n| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "48602a24-67cf-4362-b258-3f4249e55def",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "Initiator"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "displayName_"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
]
}
],
"templateVersion": "1.0.1",
"tags": [
"GuestorExternalIdentities"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml"
}
}
]
}