Suspicious Sign In Followed by MFA Modification
| Id | aec77100-25c5-4254-a20a-8027ed92c46c |
| Rulename | Suspicious Sign In Followed by MFA Modification |
| Description | This query looks uses Microsoft Sentinel’s UEBA features to look for suspicious logons followed by modifications to MFA settings by that user. |
| Severity | Medium |
| Tactics | InitialAccess DefenseEvasion |
| Techniques | T1078.004 T1556.006 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml |
| Version | 1.0.1 |
| Arm template | aec77100-25c5-4254-a20a-8027ed92c46c.json |
let PriorityScore = 9;
BehaviorAnalytics
| where ActionType == "Sign-in"
| where InvestigationPriority > PriorityScore
| extend UserPrincipalName = tolower(UserPrincipalName)
| extend LogOnTime = TimeGenerated
| join kind=inner (AuditLogs
| where Category =~ "UserManagement"
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration")
| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
| extend InitiatorID = tostring(InitiatedBy.user.id)
| extend FromIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TargetId = tostring(TargetResources[0].id)
| extend MFAModTime = TimeGenerated
| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
| extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetUPNSuffix = tostring(split(TargetUPN, "@")[1])
requiredDataConnectors:
- dataTypes:
- AuditLogs
connectorId: AzureActiveDirectory
- dataTypes:
- BehaviorAnalytics
connectorId: BehaviorAnalytics
query: |
let PriorityScore = 9;
BehaviorAnalytics
| where ActionType == "Sign-in"
| where InvestigationPriority > PriorityScore
| extend UserPrincipalName = tolower(UserPrincipalName)
| extend LogOnTime = TimeGenerated
| join kind=inner (AuditLogs
| where Category =~ "UserManagement"
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration")
| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
| extend InitiatorID = tostring(InitiatedBy.user.id)
| extend FromIP = tostring(InitiatedBy.user.ipAddress)
| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TargetId = tostring(TargetResources[0].id)
| extend MFAModTime = TimeGenerated
| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
| extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetUPNSuffix = tostring(split(TargetUPN, "@")[1])
triggerOperator: gt
severity: Medium
queryPeriod: 1d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml
name: Suspicious Sign In Followed by MFA Modification
alertDetailsOverride:
alertDisplayNameFormat: Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}
alertDescriptionFormat: |
This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
In this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.
The sign in was from {{SourceIPAddress}}.
tactics:
- InitialAccess
- DefenseEvasion
relevantTechniques:
- T1078.004
- T1556.006
kind: Scheduled
status: Available
eventGroupingSettings:
aggregationKind: AlertPerResult
id: aec77100-25c5-4254-a20a-8027ed92c46c
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: InitiatorUPN
- identifier: Name
columnName: InitiatorName
- identifier: UPNSuffix
columnName: InitiatorUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: InitiatorID
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUPN
- identifier: Name
columnName: TargetName
- identifier: UPNSuffix
columnName: TargetUPNSuffix
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: TargetId
- entityType: IP
fieldMappings:
- identifier: Address
columnName: FromIP
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIPAddress
queryFrequency: 1d
version: 1.0.1
triggerThreshold: 0
description: |
'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.'