High-Risk Cross-Cloud User Impersonation
Id | f4a28082-2808-4783-9736-33c1ae117475 |
Rulename | High-Risk Cross-Cloud User Impersonation |
Description | This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments. |
Severity | Medium |
Tactics | PrivilegeEscalation |
Techniques | T1134 T1078.002 T1078.004 |
Required data connectors | AWS AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml |
Version | 1.0.1 |
Arm template | f4a28082-2808-4783-9736-33c1ae117475.json |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
id: f4a28082-2808-4783-9736-33c1ae117475
queryFrequency: 1d
version: 1.0.1
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml
requiredDataConnectors:
- dataTypes:
- AWSCloudTrail
connectorId: AWS
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
query: |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
name: High-Risk Cross-Cloud User Impersonation
customDetails:
AzureUser: UserPrincipalName
AwsUser: UserIdentityArn
RiskEventTypes: RiskEventTypes
AWSEventName: EventName
kind: Scheduled
description: |
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
severity: Medium
triggerOperator: gt
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SourceIpAddress
identifier: Address
triggerThreshold: 0
queryPeriod: 1d
tactics:
- PrivilegeEscalation
relevantTechniques:
- T1134
- T1078.002
- T1078.004
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f4a28082-2808-4783-9736-33c1ae117475')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f4a28082-2808-4783-9736-33c1ae117475')]",
"properties": {
"alertRuleTemplateName": "f4a28082-2808-4783-9736-33c1ae117475",
"customDetails": {
"AWSEventName": "EventName",
"AwsUser": "UserIdentityArn",
"AzureUser": "UserPrincipalName",
"RiskEventTypes": "RiskEventTypes"
},
"description": "'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'\n",
"displayName": "High-Risk Cross-Cloud User Impersonation",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml",
"query": "// Retrieve Azure AD SigninLogs within the last day\nSigninLogs \n// Filter for specific AppDisplayNames, ResultType, and Risk Levels\n| where AppDisplayName in (\"Azure Portal\", \"ADFS Trust\", \"Microsoft Azure PowerShell\")\n and RiskLevelAggregated == \"high\"\n and RiskLevelDuringSignIn == \"high\"\n// Summarize AppDisplayNames by relevant attributes\n| extend Result = iff(ResultType == 0, \"Successful Signin\", \"Failed Signin\")\n| summarize make_set(AppDisplayName)\n by\n IPAddress,\n signInTime=TimeGenerated,\n UserPrincipalName,\n RiskEventTypes,\n RiskEventTypes_V2\n// Inner join with AWS CloudTrail events\n| join kind=inner (\n AWSCloudTrail\n | where isempty(ErrorMessage)\n | where EventSource in (\"iam.amazonaws.com\", \"identitystore.amazonaws.com\", \"workmail.amazonaws.com\", \"workdocs.amazonaws.com\")\n // List of AWS event names\n | where EventName in~ (\"CreateRole\", \"DeleteRole\", \"CreateUser\", \"CreateAccessKey\", \"DeleteAccessKey\", \"CreateGroup\", \"AddUserToGroup\", \"ChangePassword\", \"DeleteGroup\", \"DeleteUser\", \"RemoveUserFromGroup\", \"CreateVirtualMFADevice\", \"DeleteLoginProfile\", \"CreateOrganization\", \"SetDefaultMailDomain\", \"SetMailUserDetails\", \"CreateMailUser\", \"ResetPassword\", \"RegisterToWorkMail\", \"DisableMailUsers\", \"EnableMailUsers\", \"DeleteServiceSpecificCredential\", \"CreateServiceSpecificCredential\", \"UpdateAccountEmailAddress\", \"DeleteGroupPolicy\", \"UploadServerCertificate\") \n // Summarize relevant attributes\n | summarize make_set(RequestParameters), make_set(ResponseElements)\n by\n SourceIpAddress,\n UserIdentityArn,\n UserIdentityType,\n EventName,\n EventTime=TimeGenerated,\n EventSource\n )\n on $left.IPAddress == $right.SourceIpAddress \n// Calculate time difference in hours between AWS event and Azure sign-in\n| extend timedef = datetime_diff(\"hour\", EventTime, signInTime)\n// Filter for time differences within a certain range\n| where timedef between (0 .. 8)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [
"T1078.002",
"T1078.004"
],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078",
"T1134"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}