Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Suspicious Sign In Followed by MFA Modification

Suspicious Sign In Followed by MFA Modification

Back
Idaec77100-25c5-4254-a20a-8027ed92c46c
RulenameSuspicious Sign In Followed by MFA Modification
DescriptionThis query looks uses Microsoft Sentinel’s UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
SeverityMedium
TacticsInitialAccess
DefenseEvasion
TechniquesT1078.004
T1556.006
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml
Version1.0.1
Arm templateaec77100-25c5-4254-a20a-8027ed92c46c.json
Deploy To Azure
let PriorityScore = 9;
BehaviorAnalytics
| where ActionType == "Sign-in"
| where InvestigationPriority > PriorityScore
| extend UserPrincipalName = tolower(UserPrincipalName)
| extend LogOnTime = TimeGenerated
| join kind=inner (AuditLogs
| where Category =~ "UserManagement" 
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
| extend InitiatorID = tostring(InitiatedBy.user.id)
| extend FromIP = tostring(InitiatedBy.user.ipAddress) 
| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TargetId = tostring(TargetResources[0].id)
| extend MFAModTime = TimeGenerated
| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
| extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetUPNSuffix = tostring(split(TargetUPN, "@")[1])

name: Suspicious Sign In Followed by MFA Modification
relevantTechniques:
- T1078.004
- T1556.006
id: aec77100-25c5-4254-a20a-8027ed92c46c
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - BehaviorAnalytics
  connectorId: BehaviorAnalytics
eventGroupingSettings:
  aggregationKind: AlertPerResult
version: 1.0.1
severity: Medium
triggerThreshold: 0
queryPeriod: 1d
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: InitiatorUPN
  - identifier: Name
    columnName: InitiatorName
  - identifier: UPNSuffix
    columnName: InitiatorUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: AadUserId
    columnName: InitiatorID
  entityType: Account
- fieldMappings:
  - identifier: FullName
    columnName: TargetUPN
  - identifier: Name
    columnName: TargetName
  - identifier: UPNSuffix
    columnName: TargetUPNSuffix
  entityType: Account
- fieldMappings:
  - identifier: AadUserId
    columnName: TargetId
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: FromIP
  entityType: IP
- fieldMappings:
  - identifier: Address
    columnName: SourceIPAddress
  entityType: IP
alertDetailsOverride:
  alertDisplayNameFormat: Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}
  alertDescriptionFormat: |
    This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
    In this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.
    The sign in was from {{SourceIPAddress}}.    
queryFrequency: 1d
status: Available
query: |
  let PriorityScore = 9;
  BehaviorAnalytics
  | where ActionType == "Sign-in"
  | where InvestigationPriority > PriorityScore
  | extend UserPrincipalName = tolower(UserPrincipalName)
  | extend LogOnTime = TimeGenerated
  | join kind=inner (AuditLogs
  | where Category =~ "UserManagement" 
  | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
  | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
  | extend InitiatorID = tostring(InitiatedBy.user.id)
  | extend FromIP = tostring(InitiatedBy.user.ipAddress) 
  | extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
  | extend TargetId = tostring(TargetResources[0].id)
  | extend MFAModTime = TimeGenerated
  | where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
  | where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
  | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetUPNSuffix = tostring(split(TargetUPN, "@")[1])  
tactics:
- InitialAccess
- DefenseEvasion
kind: Scheduled
description: |
    'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.'
triggerOperator: gt