Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Suspicious Sign In Followed by MFA Modification

Back
Idaec77100-25c5-4254-a20a-8027ed92c46c
RulenameSuspicious Sign In Followed by MFA Modification
DescriptionThis query looks uses Microsoft Sentinel’s UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
SeverityMedium
TacticsInitialAccess
DefenseEvasion
TechniquesT1078.004
T1556.006
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml
Version1.0.1
Arm templateaec77100-25c5-4254-a20a-8027ed92c46c.json
Deploy To Azure
let PriorityScore = 9;
BehaviorAnalytics
| where ActionType == "Sign-in"
| where InvestigationPriority > PriorityScore
| extend UserPrincipalName = tolower(UserPrincipalName)
| extend LogOnTime = TimeGenerated
| join kind=inner (AuditLogs
| where Category =~ "UserManagement" 
| where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
| extend InitiatorID = tostring(InitiatedBy.user.id)
| extend FromIP = tostring(InitiatedBy.user.ipAddress) 
| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
| extend TargetId = tostring(TargetResources[0].id)
| extend MFAModTime = TimeGenerated
| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
| extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetUPNSuffix = tostring(split(TargetUPN, "@")[1])
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml
id: aec77100-25c5-4254-a20a-8027ed92c46c
name: Suspicious Sign In Followed by MFA Modification
query: |
  let PriorityScore = 9;
  BehaviorAnalytics
  | where ActionType == "Sign-in"
  | where InvestigationPriority > PriorityScore
  | extend UserPrincipalName = tolower(UserPrincipalName)
  | extend LogOnTime = TimeGenerated
  | join kind=inner (AuditLogs
  | where Category =~ "UserManagement" 
  | where OperationName in~ ("Admin registered security info", "Admin updated security info", "Admin deleted security info", "User registered security info", "User changed default security info", "User deleted security info","User registered all required security info","User started security info registration") 
  | extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))
  | extend InitiatorID = tostring(InitiatedBy.user.id)
  | extend FromIP = tostring(InitiatedBy.user.ipAddress) 
  | extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))
  | extend TargetId = tostring(TargetResources[0].id)
  | extend MFAModTime = TimeGenerated
  | where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN
  | where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))
  | extend InitiatorName = tostring(split(InitiatorUPN, "@")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, "@")[1]), TargetName = tostring(split(TargetUPN, "@")[0]), TargetUPNSuffix = tostring(split(TargetUPN, "@")[1])  
entityMappings:
- fieldMappings:
  - columnName: InitiatorUPN
    identifier: FullName
  - columnName: InitiatorName
    identifier: Name
  - columnName: InitiatorUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: InitiatorID
    identifier: AadUserId
  entityType: Account
- fieldMappings:
  - columnName: TargetUPN
    identifier: FullName
  - columnName: TargetName
    identifier: Name
  - columnName: TargetUPNSuffix
    identifier: UPNSuffix
  entityType: Account
- fieldMappings:
  - columnName: TargetId
    identifier: AadUserId
  entityType: Account
- fieldMappings:
  - columnName: FromIP
    identifier: Address
  entityType: IP
- fieldMappings:
  - columnName: SourceIPAddress
    identifier: Address
  entityType: IP
queryPeriod: 1d
triggerThreshold: 0
eventGroupingSettings:
  aggregationKind: AlertPerResult
tactics:
- InitialAccess
- DefenseEvasion
version: 1.0.1
kind: Scheduled
relevantTechniques:
- T1078.004
- T1556.006
queryFrequency: 1d
status: Available
requiredDataConnectors:
- dataTypes:
  - AuditLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - BehaviorAnalytics
  connectorId: BehaviorAnalytics
description: |
    'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.'
alertDetailsOverride:
  alertDescriptionFormat: |
    This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.
    In this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.
    The sign in was from {{SourceIPAddress}}.    
  alertDisplayNameFormat: Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}
triggerOperator: gt
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/aec77100-25c5-4254-a20a-8027ed92c46c')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/aec77100-25c5-4254-a20a-8027ed92c46c')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.\nIn this case {{InitiatorUPN}} logged in followed by a modification to MFA settings for {{TargetUPN}}.\nThe sign in was from {{SourceIPAddress}}.\n",
          "alertDisplayNameFormat": "Suspicious Sign In by {{InitiatorUPN}} Followed by MFA Modification to {{TargetUPN}}"
        },
        "alertRuleTemplateName": "aec77100-25c5-4254-a20a-8027ed92c46c",
        "customDetails": null,
        "description": "'This query looks uses Microsoft Sentinel's UEBA features to look for suspicious logons followed by modifications to MFA settings by that user.'\n",
        "displayName": "Suspicious Sign In Followed by MFA Modification",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatorUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "InitiatorName",
                "identifier": "Name"
              },
              {
                "columnName": "InitiatorUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "InitiatorID",
                "identifier": "AadUserId"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetUPN",
                "identifier": "FullName"
              },
              {
                "columnName": "TargetName",
                "identifier": "Name"
              },
              {
                "columnName": "TargetUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "TargetId",
                "identifier": "AadUserId"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "FromIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SourceIPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "AlertPerResult"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Entra ID/Analytic Rules/SuspiciousSignInFollowedByMFAModification.yaml",
        "query": "let PriorityScore = 9;\nBehaviorAnalytics\n| where ActionType == \"Sign-in\"\n| where InvestigationPriority > PriorityScore\n| extend UserPrincipalName = tolower(UserPrincipalName)\n| extend LogOnTime = TimeGenerated\n| join kind=inner (AuditLogs\n| where Category =~ \"UserManagement\" \n| where OperationName in~ (\"Admin registered security info\", \"Admin updated security info\", \"Admin deleted security info\", \"User registered security info\", \"User changed default security info\", \"User deleted security info\",\"User registered all required security info\",\"User started security info registration\") \n| extend InitiatorUPN = tolower(tostring(InitiatedBy.user.userPrincipalName))\n| extend InitiatorID = tostring(InitiatedBy.user.id)\n| extend FromIP = tostring(InitiatedBy.user.ipAddress) \n| extend TargetUPN = tolower(tostring(TargetResources[0].userPrincipalName))\n| extend TargetId = tostring(TargetResources[0].id)\n| extend MFAModTime = TimeGenerated\n| where isnotempty(InitiatorUPN)) on $left.UserPrincipalName == $right.InitiatorUPN\n| where MFAModTime between((LogOnTime-30m)..(LogOnTime+1h))\n| extend InitiatorName = tostring(split(InitiatorUPN, \"@\")[0]), InitiatorUPNSuffix = tostring(split(InitiatorUPN, \"@\")[1]), TargetName = tostring(split(TargetUPN, \"@\")[0]), TargetUPNSuffix = tostring(split(TargetUPN, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1556"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}