Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Users searching for VIP user activity

Back
Idf7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
RulenameUsers searching for VIP user activity
DescriptionThis query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.

Use this detection to alert for users specifically searching for activity of sensitive users.
SeverityLow
TacticsCollection
Exfiltration
TechniquesT1530
T1213
T1020
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
Version1.1.4
Arm templatef7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e.json
Deploy To Azure
// Replace these with the username or emails of your VIP users you wish to monitor for.
let vips = dynamic(['vip1@email.com','vip2@email.com']);
// Add users who are allowed to conduct these searches - this could be specific SOC team members
let allowed_users = dynamic([]);
LAQueryLogs
| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
| where AADEmail !in (allowed_users)
| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, "@")[0]), AccountUPNSuffix = tostring(split(AADEmail, "@")[1])
kind: Scheduled
relevantTechniques:
- T1530
- T1213
- T1020
metadata:
  support:
    tier: Community
  author:
    name: Microsoft Security Research
  categories:
    domains:
    - Security - Others
  source:
    kind: Community
description: |
  This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.
  Use this detection to alert for users specifically searching for activity of sensitive users.  
queryPeriod: 1d
queryFrequency: 1d
tactics:
- Collection
- Exfiltration
name: Users searching for VIP user activity
requiredDataConnectors: []
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: RequestTarget
triggerThreshold: 0
version: 1.1.4
id: f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
query: |
  // Replace these with the username or emails of your VIP users you wish to monitor for.
  let vips = dynamic(['vip1@email.com','vip2@email.com']);
  // Add users who are allowed to conduct these searches - this could be specific SOC team members
  let allowed_users = dynamic([]);
  LAQueryLogs
  | where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
  | where AADEmail !in (allowed_users)
  | project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
  | extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, "@")[0]), AccountUPNSuffix = tostring(split(AADEmail, "@")[1])  
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
severity: Low
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e')]",
      "properties": {
        "alertRuleTemplateName": "f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e",
        "customDetails": null,
        "description": "This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template.\nUse this detection to alert for users specifically searching for activity of sensitive users.\n",
        "displayName": "Users searching for VIP user activity",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "AzureResource",
            "fieldMappings": [
              {
                "columnName": "RequestTarget",
                "identifier": "ResourceId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml",
        "query": "// Replace these with the username or emails of your VIP users you wish to monitor for.\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\nlet allowed_users = dynamic([]);\nLAQueryLogs\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\"VIPUsers\")', \"_GetWatchlist('VIPUsers')\")\n| where AADEmail !in (allowed_users)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountName = tostring(split(AADEmail, \"@\")[0]), AccountUPNSuffix = tostring(split(AADEmail, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Low",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Exfiltration"
        ],
        "techniques": [
          "T1020",
          "T1213",
          "T1530"
        ],
        "templateVersion": "1.1.4",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}