Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious modification of Global Administrator user properties

Back
Id48602a24-67cf-4362-b258-3f4249e55def
RulenameSuspicious modification of Global Administrator user properties
DescriptionThis query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.

Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity
SeverityMedium
TacticsPrivilegeEscalation
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml
Version1.0.1
Arm template48602a24-67cf-4362-b258-3f4249e55def.json
Deploy To Azure
let lookback = 1d;
let GlobalAdmins = IdentityInfo
| where TimeGenerated > ago(lookback)
| extend IsGlobalAdmin = set_has_element(AssignedRoles, "Global Administrator")
| where IsGlobalAdmin == true
| distinct AccountUPN;
GlobalAdmins
| join kind=inner ( AuditLogs
| where TimeGenerated > ago(lookback)
| where OperationName=~ "Update user" 
| where Result =~ "success" 
| mv-expand TargetResources 
| mv-expand TargetResources.modifiedProperties 
| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)
| where displayName_ == "UserPrincipalName" and oldValue_ !has "#EXT" and newValue_ has "#EXT"
| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) 
| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.["user"].["ipAddress"])
) on $left.AccountUPN == $right.oldValue_
| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_
queryFrequency: 1d
metadata:
  author:
    name: Ashwin Patil
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
    - Identity
  support:
    tier: Community
triggerOperator: gt
tactics:
- PrivilegeEscalation
description: |
  ' This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.
  Investigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity'  
relevantTechniques:
- T1078.004
name: Suspicious modification of Global Administrator user properties
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.1
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: Initiator
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: displayName_
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
tags:
- GuestorExternalIdentities
id: 48602a24-67cf-4362-b258-3f4249e55def
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
kind: Scheduled
query: |
  let lookback = 1d;
  let GlobalAdmins = IdentityInfo
  | where TimeGenerated > ago(lookback)
  | extend IsGlobalAdmin = set_has_element(AssignedRoles, "Global Administrator")
  | where IsGlobalAdmin == true
  | distinct AccountUPN;
  GlobalAdmins
  | join kind=inner ( AuditLogs
  | where TimeGenerated > ago(lookback)
  | where OperationName=~ "Update user" 
  | where Result =~ "success" 
  | mv-expand TargetResources 
  | mv-expand TargetResources.modifiedProperties 
  | extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)
  | where displayName_ == "UserPrincipalName" and oldValue_ !has "#EXT" and newValue_ has "#EXT"
  | extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) 
  | extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.["user"].["ipAddress"])
  ) on $left.AccountUPN == $right.oldValue_
  | project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_  
queryPeriod: 1d
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/48602a24-67cf-4362-b258-3f4249e55def')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/48602a24-67cf-4362-b258-3f4249e55def')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Suspicious modification of Global Administrator user properties",
        "description": "' This query will detect if user properties of Global Administrator are updated by an existing user. Usually only user administrator or other global administrator can update such properties.\nInvestigate if such user change is an attempt to elevate an existing low privileged identity or rogue administrator activity'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let lookback = 1d;\nlet GlobalAdmins = IdentityInfo\n| where TimeGenerated > ago(lookback)\n| extend IsGlobalAdmin = set_has_element(AssignedRoles, \"Global Administrator\")\n| where IsGlobalAdmin == true\n| distinct AccountUPN;\nGlobalAdmins\n| join kind=inner ( AuditLogs\n| where TimeGenerated > ago(lookback)\n| where OperationName=~ \"Update user\" \n| where Result =~ \"success\" \n| mv-expand TargetResources \n| mv-expand TargetResources.modifiedProperties \n| extend displayName_ = tostring(TargetResources_modifiedProperties.displayName) , oldValue_ = tostring(TargetResources_modifiedProperties.oldValue), newValue_ = tostring(TargetResources_modifiedProperties.newValue)\n| where displayName_ == \"UserPrincipalName\" and oldValue_ !has \"#EXT\" and newValue_ has \"#EXT\"\n| extend InitiatingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName) \n| extend Initiator = iif(isnotempty(InitiatingApp), InitiatingApp, tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)) , IPAddress = tostring(InitiatedBy.[\"user\"].[\"ipAddress\"])\n) on $left.AccountUPN == $right.oldValue_\n| project TimeGenerated, AADTenantId, IPAddress, Initiator, displayName_, oldValue_, newValue_\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "48602a24-67cf-4362-b258-3f4249e55def",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "Initiator"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "displayName_"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPAddress"
              }
            ]
          }
        ],
        "templateVersion": "1.0.1",
        "tags": [
          "GuestorExternalIdentities"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/SuspiciousModificationofGlobalAdminProperties.yaml"
      }
    }
  ]
}