Authentications of Privileged Accounts Outside of Expected Controls
| Id | af435ca1-fb70-4de1-92c1-7435c48482a9 |
| Rulename | Authentications of Privileged Accounts Outside of Expected Controls |
| Description | Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days. Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts. Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory BehaviorAnalytics |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml |
| Version | 1.0.2 |
| Arm template | af435ca1-fb70-4de1-92c1-7435c48482a9.json |
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
let admin_asn = (SigninLogs
| where TimeGenerated between (ago(7d)..ago(1d))
| where tolower(UserPrincipalName) in (admin_users)
| summarize by AutonomousSystemNumber);
let admin_locations = (SigninLogs
| where TimeGenerated between (ago(7d)..ago(1d))
| where tolower(UserPrincipalName) in (admin_users)
| summarize by Location);
let admin_devices = (SigninLogs
| where TimeGenerated between (ago(7d)..ago(1d))
| where tolower(UserPrincipalName) in (admin_users)
| extend deviceId = tostring(DeviceDetail.deviceId)
| where isnotempty(deviceId)
| summarize by deviceId);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admin_users)
| extend deviceId = tostring(DeviceDetail.deviceId)
| where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
name: Authentications of Privileged Accounts Outside of Expected Controls
tags:
- AADSecOpsGuide
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml
queryPeriod: 7d
version: 1.0.2
severity: Medium
id: af435ca1-fb70-4de1-92c1-7435c48482a9
triggerOperator: gt
triggerThreshold: 0
kind: Scheduled
requiredDataConnectors:
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
- dataTypes:
- BehaviorAnalytics
connectorId: BehaviorAnalytics
- dataTypes:
- IdentityInfo
connectorId: BehaviorAnalytics
metadata:
source:
kind: Community
support:
tier: Community
categories:
domains:
- Security - Others
- Identity
author:
name: Pete Bryan
relevantTechniques:
- T1078.004
description: |
'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.
Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'
query: |
let admin_users = (IdentityInfo
| summarize arg_max(TimeGenerated, *) by AccountUPN
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
let admin_asn = (SigninLogs
| where TimeGenerated between (ago(7d)..ago(1d))
| where tolower(UserPrincipalName) in (admin_users)
| summarize by AutonomousSystemNumber);
let admin_locations = (SigninLogs
| where TimeGenerated between (ago(7d)..ago(1d))
| where tolower(UserPrincipalName) in (admin_users)
| summarize by Location);
let admin_devices = (SigninLogs
| where TimeGenerated between (ago(7d)..ago(1d))
| where tolower(UserPrincipalName) in (admin_users)
| extend deviceId = tostring(DeviceDetail.deviceId)
| where isnotempty(deviceId)
| summarize by deviceId);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admin_users)
| extend deviceId = tostring(DeviceDetail.deviceId)
| where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
tactics:
- InitialAccess
entityMappings:
- entityType: Account
fieldMappings:
- columnName: UserPrincipalName
identifier: FullName
queryFrequency: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af435ca1-fb70-4de1-92c1-7435c48482a9')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af435ca1-fb70-4de1-92c1-7435c48482a9')]",
"properties": {
"alertRuleTemplateName": "af435ca1-fb70-4de1-92c1-7435c48482a9",
"customDetails": null,
"description": "'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\n Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'\n",
"displayName": "Authentications of Privileged Accounts Outside of Expected Controls",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml",
"query": "let admin_users = (IdentityInfo\n | summarize arg_max(TimeGenerated, *) by AccountUPN\n | where AssignedRoles contains \"admin\"\n | summarize by tolower(AccountUPN));\n let admin_asn = (SigninLogs\n | where TimeGenerated between (ago(7d)..ago(1d))\n | where tolower(UserPrincipalName) in (admin_users)\n | summarize by AutonomousSystemNumber);\n let admin_locations = (SigninLogs\n | where TimeGenerated between (ago(7d)..ago(1d))\n | where tolower(UserPrincipalName) in (admin_users)\n | summarize by Location);\n let admin_devices = (SigninLogs\n | where TimeGenerated between (ago(7d)..ago(1d))\n | where tolower(UserPrincipalName) in (admin_users)\n | extend deviceId = tostring(DeviceDetail.deviceId)\n | where isnotempty(deviceId)\n | summarize by deviceId);\n SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType == 0\n | where tolower(UserPrincipalName) in (admin_users)\n | extend deviceId = tostring(DeviceDetail.deviceId)\n | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"severity": "Medium",
"subTechniques": [
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.2",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}