Users searching for VIP user activity

Back


Id	f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
Rulename	Users searching for VIP user activity
Description	This query monitors for users running Log Analytics queries that contain filters for specific, defined VIP user accounts or the VIPUser watchlist template. Use this detection to alert for users specifically searching for activity of sensitive users.
Severity	Low
Tactics	Collection Exfiltration
Techniques	T1530 T1213 T1020
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
Version	1.1.2
Arm template	f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e.json

KQL

// Replace these with the username or emails of your VIP users you wish to monitor for.
let vips = dynamic(['vip1@email.com','vip2@email.com']);
// Add users who are allowed to conduct these searches - this could be specific SOC team members
let allowed_users = dynamic([]);
LAQueryLogs
| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
| where AADEmail !in (allowed_users)
| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail

YAML

severity: Low
triggerThreshold: 0
metadata:
  source:
    kind: Community
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
  author:
    name: Pete Bryan
queryFrequency: 1d
requiredDataConnectors: []
id: f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e
version: 1.1.2
name: Users searching for VIP user activity
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml
queryPeriod: 1d
relevantTechniques:
- T1530
- T1213
- T1020
triggerOperator: gt
tactics:
- Collection
- Exfiltration
query: |
  // Replace these with the username or emails of your VIP users you wish to monitor for.
  let vips = dynamic(['vip1@email.com','vip2@email.com']);
  // Add users who are allowed to conduct these searches - this could be specific SOC team members
  let allowed_users = dynamic([]);
  LAQueryLogs
  | where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist("VIPUsers")', "_GetWatchlist('VIPUsers')")
  | where AADEmail !in (allowed_users)
  | project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget
  | extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: RequestTarget
description: |
  This query monitors for users running Log Analytics queries that contain filters
  for specific, defined VIP user accounts or the VIPUser watchlist template.
  Use this detection to alert for users specifically searching for activity of sensitive users.

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Users searching for VIP user activity",
        "description": "This query monitors for users running Log Analytics queries that contain filters\nfor specific, defined VIP user accounts or the VIPUser watchlist template.\nUse this detection to alert for users specifically searching for activity of sensitive users.\n",
        "severity": "Low",
        "enabled": true,
        "query": "// Replace these with the username or emails of your VIP users you wish to monitor for.\nlet vips = dynamic(['vip1@email.com','vip2@email.com']);\n// Add users who are allowed to conduct these searches - this could be specific SOC team members\nlet allowed_users = dynamic([]);\nLAQueryLogs\n| where QueryText has_any (vips) or QueryText has_any ('_GetWatchlist(\"VIPUsers\")', \"_GetWatchlist('VIPUsers')\")\n| where AADEmail !in (allowed_users)\n| project TimeGenerated, AADEmail, RequestClientApp, QueryText, ResponseRowCount, RequestTarget\n| extend timestamp = TimeGenerated, AccountCustomEntity = AADEmail\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "Collection",
          "Exfiltration"
        ],
        "techniques": [
          "T1530",
          "T1213",
          "T1020"
        ],
        "alertRuleTemplateName": "f7f4a77e-f68f-4b56-9aaf-a0c9d87d7a8e",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "FullName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "columnName": "RequestTarget",
                "identifier": "ResourceId"
              }
            ],
            "entityType": "AzureResource"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/LAQueryLogs/UserSearchingForVIPUserActivity.yaml",
        "templateVersion": "1.1.2"
      }
    }
  ]
}