High-Risk Cross-Cloud User Impersonation
| Id | f4a28082-2808-4783-9736-33c1ae117475 |
| Rulename | High-Risk Cross-Cloud User Impersonation |
| Description | This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments. |
| Severity | Medium |
| Tactics | PrivilegeEscalation |
| Techniques | T1134 T1078.002 T1078.004 |
| Required data connectors | AWS AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 1d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml |
| Version | 1.0.1 |
| Arm template | f4a28082-2808-4783-9736-33c1ae117475.json |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
id: f4a28082-2808-4783-9736-33c1ae117475
requiredDataConnectors:
- connectorId: AWS
dataTypes:
- AWSCloudTrail
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml
severity: Medium
description: |
'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'
relevantTechniques:
- T1134
- T1078.002
- T1078.004
tactics:
- PrivilegeEscalation
triggerThreshold: 0
kind: Scheduled
query: |
// Retrieve Azure AD SigninLogs within the last day
SigninLogs
// Filter for specific AppDisplayNames, ResultType, and Risk Levels
| where AppDisplayName in ("Azure Portal", "ADFS Trust", "Microsoft Azure PowerShell")
and RiskLevelAggregated == "high"
and RiskLevelDuringSignIn == "high"
// Summarize AppDisplayNames by relevant attributes
| extend Result = iff(ResultType == 0, "Successful Signin", "Failed Signin")
| summarize make_set(AppDisplayName)
by
IPAddress,
signInTime=TimeGenerated,
UserPrincipalName,
RiskEventTypes,
RiskEventTypes_V2
// Inner join with AWS CloudTrail events
| join kind=inner (
AWSCloudTrail
| where isempty(ErrorMessage)
| where EventSource in ("iam.amazonaws.com", "identitystore.amazonaws.com", "workmail.amazonaws.com", "workdocs.amazonaws.com")
// List of AWS event names
| where EventName in~ ("CreateRole", "DeleteRole", "CreateUser", "CreateAccessKey", "DeleteAccessKey", "CreateGroup", "AddUserToGroup", "ChangePassword", "DeleteGroup", "DeleteUser", "RemoveUserFromGroup", "CreateVirtualMFADevice", "DeleteLoginProfile", "CreateOrganization", "SetDefaultMailDomain", "SetMailUserDetails", "CreateMailUser", "ResetPassword", "RegisterToWorkMail", "DisableMailUsers", "EnableMailUsers", "DeleteServiceSpecificCredential", "CreateServiceSpecificCredential", "UpdateAccountEmailAddress", "DeleteGroupPolicy", "UploadServerCertificate")
// Summarize relevant attributes
| summarize make_set(RequestParameters), make_set(ResponseElements)
by
SourceIpAddress,
UserIdentityArn,
UserIdentityType,
EventName,
EventTime=TimeGenerated,
EventSource
)
on $left.IPAddress == $right.SourceIpAddress
// Calculate time difference in hours between AWS event and Azure sign-in
| extend timedef = datetime_diff("hour", EventTime, signInTime)
// Filter for time differences within a certain range
| where timedef between (0 .. 8)
name: High-Risk Cross-Cloud User Impersonation
version: 1.0.1
queryFrequency: 1d
entityMappings:
- fieldMappings:
- identifier: Address
columnName: SourceIpAddress
entityType: IP
customDetails:
AWSEventName: EventName
AzureUser: UserPrincipalName
AwsUser: UserIdentityArn
RiskEventTypes: RiskEventTypes
triggerOperator: gt
queryPeriod: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f4a28082-2808-4783-9736-33c1ae117475')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f4a28082-2808-4783-9736-33c1ae117475')]",
"properties": {
"alertRuleTemplateName": "f4a28082-2808-4783-9736-33c1ae117475",
"customDetails": {
"AWSEventName": "EventName",
"AwsUser": "UserIdentityArn",
"AzureUser": "UserPrincipalName",
"RiskEventTypes": "RiskEventTypes"
},
"description": "'This detection focuses on identifying high-risk cross-cloud activities and sign-in anomalies that may indicate potential security threats. The query starts by analyzing Microsoft Entra ID Signin Logs to pinpoint instances where specific applications, risk levels, and result types align. It then correlates this information with relevant AWS CloudTrail events to identify activities across Azure and AWS environments.'\n",
"displayName": "High-Risk Cross-Cloud User Impersonation",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SourceIpAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Multi Cloud Attack Coverage Essentials - Resource Abuse/Analytic Rules/UserImpersonateByRiskyUser.yaml",
"query": "// Retrieve Azure AD SigninLogs within the last day\nSigninLogs \n// Filter for specific AppDisplayNames, ResultType, and Risk Levels\n| where AppDisplayName in (\"Azure Portal\", \"ADFS Trust\", \"Microsoft Azure PowerShell\")\n and RiskLevelAggregated == \"high\"\n and RiskLevelDuringSignIn == \"high\"\n// Summarize AppDisplayNames by relevant attributes\n| extend Result = iff(ResultType == 0, \"Successful Signin\", \"Failed Signin\")\n| summarize make_set(AppDisplayName)\n by\n IPAddress,\n signInTime=TimeGenerated,\n UserPrincipalName,\n RiskEventTypes,\n RiskEventTypes_V2\n// Inner join with AWS CloudTrail events\n| join kind=inner (\n AWSCloudTrail\n | where isempty(ErrorMessage)\n | where EventSource in (\"iam.amazonaws.com\", \"identitystore.amazonaws.com\", \"workmail.amazonaws.com\", \"workdocs.amazonaws.com\")\n // List of AWS event names\n | where EventName in~ (\"CreateRole\", \"DeleteRole\", \"CreateUser\", \"CreateAccessKey\", \"DeleteAccessKey\", \"CreateGroup\", \"AddUserToGroup\", \"ChangePassword\", \"DeleteGroup\", \"DeleteUser\", \"RemoveUserFromGroup\", \"CreateVirtualMFADevice\", \"DeleteLoginProfile\", \"CreateOrganization\", \"SetDefaultMailDomain\", \"SetMailUserDetails\", \"CreateMailUser\", \"ResetPassword\", \"RegisterToWorkMail\", \"DisableMailUsers\", \"EnableMailUsers\", \"DeleteServiceSpecificCredential\", \"CreateServiceSpecificCredential\", \"UpdateAccountEmailAddress\", \"DeleteGroupPolicy\", \"UploadServerCertificate\") \n // Summarize relevant attributes\n | summarize make_set(RequestParameters), make_set(ResponseElements)\n by\n SourceIpAddress,\n UserIdentityArn,\n UserIdentityType,\n EventName,\n EventTime=TimeGenerated,\n EventSource\n )\n on $left.IPAddress == $right.SourceIpAddress \n// Calculate time difference in hours between AWS event and Azure sign-in\n| extend timedef = datetime_diff(\"hour\", EventTime, signInTime)\n// Filter for time differences within a certain range\n| where timedef between (0 .. 8)\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"PrivilegeEscalation"
],
"techniques": [
"T1078",
"T1134"
],
"templateVersion": "1.0.1",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}