Account created from non-approved sources
| Id | 99d589fa-7337-40d7-91a0-c96d0c4fa437 |
| Rulename | Account created from non-approved sources |
| Description | This query looks for an account being created from a domain that is not regularly seen in a tenant. Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment. Created accounts should be investigated to confirm expected creation. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts |
| Severity | Medium |
| Tactics | Persistence |
| Techniques | T1136.003 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml |
| Version | 1.2.1 |
| Arm template | 99d589fa-7337-40d7-91a0-c96d0c4fa437.json |
let core_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| extend domain = tolower(split(UserPrincipalName, "@")[1])
| summarize by tostring(domain));
let alternative_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where isnotempty(AlternateSignInName)
| where ResultType == 0
| extend domain = tolower(split(AlternateSignInName, "@")[1])
| summarize by tostring(domain));
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Add User"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend UserAdded = tostring(TargetResources[0].userPrincipalName)
| extend UserAddedDomain = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[1]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[1]),
UserAdded)
| where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)
| extend AddedByName = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[0]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[0]),
InitiatingUserPrincipalName)
| extend AddedByUPNSuffix = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[1]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[1]),
InitiatingUserPrincipalName)
| extend UserAddedName = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[0]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[0]),
UserAdded)
relevantTechniques:
- T1136.003
name: Account created from non-approved sources
requiredDataConnectors:
- dataTypes:
- SigninLogs
- AuditLogs
connectorId: AzureActiveDirectory
entityMappings:
- fieldMappings:
- identifier: Name
columnName: InitiatingAppName
- identifier: AadUserId
columnName: InitiatingAppServicePrincipalId
entityType: Account
- fieldMappings:
- identifier: FullName
columnName: InitiatingUserPrincipalName
- identifier: Name
columnName: AddedByName
- identifier: UPNSuffix
columnName: AddedByUPNSuffix
entityType: Account
- fieldMappings:
- identifier: AadUserId
columnName: InitiatingAadUserId
entityType: Account
- fieldMappings:
- identifier: Address
columnName: InitiatingIpAddress
entityType: IP
- fieldMappings:
- identifier: FullName
columnName: UserAdded
- identifier: Name
columnName: UserAddedName
- identifier: UPNSuffix
columnName: UserAddedDomain
entityType: Account
triggerThreshold: 0
id: 99d589fa-7337-40d7-91a0-c96d0c4fa437
tactics:
- Persistence
version: 1.2.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml
queryPeriod: 7d
kind: Scheduled
tags:
- AADSecOpsGuide
metadata:
categories:
domains:
- Security - Others
- Identity
author:
name: Microsoft Security Research
support:
tier: Community
source:
kind: Community
queryFrequency: 1d
severity: Medium
description: |
'This query looks for an account being created from a domain that is not regularly seen in a tenant.
Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.
Created accounts should be investigated to confirm expected creation.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts'
query: |
let core_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where ResultType == 0
| extend domain = tolower(split(UserPrincipalName, "@")[1])
| summarize by tostring(domain));
let alternative_domains = (SigninLogs
| where TimeGenerated > ago(7d)
| where isnotempty(AlternateSignInName)
| where ResultType == 0
| extend domain = tolower(split(AlternateSignInName, "@")[1])
| summarize by tostring(domain));
AuditLogs
| where TimeGenerated > ago(1d)
| where OperationName =~ "Add User"
| extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
| extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
| extend UserAdded = tostring(TargetResources[0].userPrincipalName)
| extend UserAddedDomain = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[1]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[1]),
UserAdded)
| where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)
| extend AddedByName = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[0]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[0]),
InitiatingUserPrincipalName)
| extend AddedByUPNSuffix = case(
InitiatingUserPrincipalName has "#EXT#", tostring(split(tostring(split(InitiatingUserPrincipalName, "#EXT#")[0]), "_")[1]),
InitiatingUserPrincipalName !has "#EXT#", tostring(split(InitiatingUserPrincipalName, "@")[1]),
InitiatingUserPrincipalName)
| extend UserAddedName = case(
UserAdded has "#EXT#", tostring(split(tostring(split(UserAdded, "#EXT#")[0]), "_")[0]),
UserAdded !has "#EXT#", tostring(split(UserAdded, "@")[0]),
UserAdded)
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/99d589fa-7337-40d7-91a0-c96d0c4fa437')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/99d589fa-7337-40d7-91a0-c96d0c4fa437')]",
"properties": {
"alertRuleTemplateName": "99d589fa-7337-40d7-91a0-c96d0c4fa437",
"customDetails": null,
"description": "'This query looks for an account being created from a domain that is not regularly seen in a tenant.\n Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment.\n Created accounts should be investigated to confirm expected creation.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts'\n",
"displayName": "Account created from non-approved sources",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAppName",
"identifier": "Name"
},
{
"columnName": "InitiatingAppServicePrincipalId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingUserPrincipalName",
"identifier": "FullName"
},
{
"columnName": "AddedByName",
"identifier": "Name"
},
{
"columnName": "AddedByUPNSuffix",
"identifier": "UPNSuffix"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "InitiatingAadUserId",
"identifier": "AadUserId"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "InitiatingIpAddress",
"identifier": "Address"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserAdded",
"identifier": "FullName"
},
{
"columnName": "UserAddedName",
"identifier": "Name"
},
{
"columnName": "UserAddedDomain",
"identifier": "UPNSuffix"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/Accountcreatedfromnon-approvedsources.yaml",
"query": "let core_domains = (SigninLogs\n | where TimeGenerated > ago(7d)\n | where ResultType == 0\n | extend domain = tolower(split(UserPrincipalName, \"@\")[1])\n | summarize by tostring(domain));\n let alternative_domains = (SigninLogs\n | where TimeGenerated > ago(7d)\n | where isnotempty(AlternateSignInName)\n | where ResultType == 0\n | extend domain = tolower(split(AlternateSignInName, \"@\")[1])\n | summarize by tostring(domain));\n AuditLogs\n | where TimeGenerated > ago(1d)\n | where OperationName =~ \"Add User\"\n | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)\n | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)\n | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)\n | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)\n | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))\n | extend UserAdded = tostring(TargetResources[0].userPrincipalName)\n | extend UserAddedDomain = case(\n UserAdded has \"#EXT#\", tostring(split(tostring(split(UserAdded, \"#EXT#\")[0]), \"_\")[1]),\n UserAdded !has \"#EXT#\", tostring(split(UserAdded, \"@\")[1]),\n UserAdded)\n | where UserAddedDomain !in (core_domains) and UserAddedDomain !in (alternative_domains)\n | extend AddedByName = case(\n InitiatingUserPrincipalName has \"#EXT#\", tostring(split(tostring(split(InitiatingUserPrincipalName, \"#EXT#\")[0]), \"_\")[0]),\n InitiatingUserPrincipalName !has \"#EXT#\", tostring(split(InitiatingUserPrincipalName, \"@\")[0]),\n InitiatingUserPrincipalName)\n | extend AddedByUPNSuffix = case(\n InitiatingUserPrincipalName has \"#EXT#\", tostring(split(tostring(split(InitiatingUserPrincipalName, \"#EXT#\")[0]), \"_\")[1]),\n InitiatingUserPrincipalName !has \"#EXT#\", tostring(split(InitiatingUserPrincipalName, \"@\")[1]),\n InitiatingUserPrincipalName)\n | extend UserAddedName = case(\n UserAdded has \"#EXT#\", tostring(split(tostring(split(UserAdded, \"#EXT#\")[0]), \"_\")[0]),\n UserAdded !has \"#EXT#\", tostring(split(UserAdded, \"@\")[0]),\n UserAdded)\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"severity": "Medium",
"subTechniques": [
"T1136.003"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1136"
],
"templateVersion": "1.2.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}