User Account Created Using Incorrect Naming Format
Id | ee55dc85-d2da-48c1-a6c0-3eaee62a8d56 |
Rulename | User Account Created Using Incorrect Naming Format |
Description | This query looks for accounts being created where the name does not match a defined pattern. Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts. Created accounts should be investigated to ensure they were legitimated created. The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies |
Severity | Low |
Tactics | Persistence |
Techniques | T1136.003 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAccountCreatedUsingIncorrectNamingFormat.yaml |
Version | 1.0.1 |
Arm template | ee55dc85-d2da-48c1-a6c0-3eaee62a8d56.json |
// Add the environments expected username format regex below before deploying
let user_regex = "";
AuditLogs
| where OperationName =~ "Add user"
| where Result =~ "success"
| extend userAgent = tostring(AdditionalDetails[0].value)
| extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| where AddedUser matches regex user_regex
id: ee55dc85-d2da-48c1-a6c0-3eaee62a8d56
queryFrequency: 1d
version: 1.0.1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- AuditLogs
entityMappings:
- fieldMappings:
- columnName: AddedBy
identifier: FullName
entityType: Account
- fieldMappings:
- columnName: AddedUser
identifier: FullName
entityType: Account
kind: Scheduled
queryPeriod: 1d
severity: Low
query: |
// Add the environments expected username format regex below before deploying
let user_regex = "";
AuditLogs
| where OperationName =~ "Add user"
| where Result =~ "success"
| extend userAgent = tostring(AdditionalDetails[0].value)
| extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)
| extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend AddedUser = tostring(TargetResources[0].userPrincipalName)
| where AddedUser matches regex user_regex
metadata:
categories:
domains:
- Security - Others
author:
name: Pete Bryan
support:
tier: Community
source:
kind: Community
triggerOperator: gt
tags:
- AADSecOpsGuide
description: |
'This query looks for accounts being created where the name does not match a defined pattern.
Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.
Created accounts should be investigated to ensure they were legitimated created.
The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies'
triggerThreshold: 0
name: User Account Created Using Incorrect Naming Format
relevantTechniques:
- T1136.003
tactics:
- Persistence
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAccountCreatedUsingIncorrectNamingFormat.yaml
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ee55dc85-d2da-48c1-a6c0-3eaee62a8d56')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "User Account Created Using Incorrect Naming Format",
"description": "'This query looks for accounts being created where the name does not match a defined pattern.\n Attackers may attempt to add accounts as a means of establishing persistant access to an environment, looking for anomalies in created accounts may help identify illegitimately created accounts.\n Created accounts should be investigated to ensure they were legitimated created.\n The user_regex field in the query needs to be populated with the expected pattern for the environment before deployment.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#accounts-not-following-naming-policies'\n",
"severity": "Low",
"enabled": true,
"query": "// Add the environments expected username format regex below before deploying\n let user_regex = \"\";\n AuditLogs\n | where OperationName =~ \"Add user\"\n | where Result =~ \"success\"\n | extend userAgent = tostring(AdditionalDetails[0].value)\n | extend addingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)\n | extend addingApp = tostring(parse_json(tostring(InitiatedBy.app)).displayName)\n | extend AddedBy = iif(isnotempty(addingUser), addingUser, addingApp)\n | extend ipAddress = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)\n | extend AddedUser = tostring(TargetResources[0].userPrincipalName)\n | where AddedUser matches regex user_regex\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"Persistence"
],
"techniques": [
"T1136.003"
],
"alertRuleTemplateName": "ee55dc85-d2da-48c1-a6c0-3eaee62a8d56",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AddedBy"
}
]
},
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AddedUser"
}
]
}
],
"tags": [
"AADSecOpsGuide"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/AuditLogs/UserAccountCreatedUsingIncorrectNamingFormat.yaml",
"templateVersion": "1.0.1"
}
}
]
}