Authentication Method Changed for Privileged Account

let VIPUsers = (IdentityInfo
| where AssignedRoles contains "Admin"
| summarize by tolower(AccountUPN));
AuditLogs
| where TimeGenerated > ago(2h)
| where Category =~ "UserManagement"
| where ActivityDisplayName =~ "User registered security info"
| where LoggedByService =~ "Authentication Methods"
| extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
| where tolower(TargetUserPrincipalName) in (VIPUsers)
| extend TargetAadUserId = tostring(TargetResources[0].id)
| extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
| extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
| extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
| extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])

description: |
  'Identifies authentication methods being changed for a privileged account. This could be an indication of an attacker adding an auth method to the account so they can have continued access.
  Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1'  
kind: Scheduled
tactics:
- Persistence
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - AuditLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Business Email Compromise - Financial Fraud/Analytic Rules/AuthenticationMethodChangedforPrivilegedAccount.yaml
severity: High
name: Authentication Method Changed for Privileged Account
triggerThreshold: 0
queryPeriod: 14d
query: |
  let VIPUsers = (IdentityInfo
  | where AssignedRoles contains "Admin"
  | summarize by tolower(AccountUPN));
  AuditLogs
  | where TimeGenerated > ago(2h)
  | where Category =~ "UserManagement"
  | where ActivityDisplayName =~ "User registered security info"
  | where LoggedByService =~ "Authentication Methods"
  | extend TargetUserPrincipalName = tostring(TargetResources[0].userPrincipalName)
  | where tolower(TargetUserPrincipalName) in (VIPUsers)
  | extend TargetAadUserId = tostring(TargetResources[0].id)
  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
  | extend InitiatingIPAddress = tostring(InitiatedBy.user.ipAddress)
  | extend TargetAccountName = tostring(split(TargetUserPrincipalName, "@")[0]), TargetAccountUPNSuffix = tostring(split(TargetUserPrincipalName, "@")[1])
  | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])  
relevantTechniques:
- T1098
id: feb0a2fb-ae75-4343-8cbc-ed545f1da289
queryFrequency: 2h
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: TargetUserPrincipalName
    identifier: FullName
  - columnName: TargetAccountName
    identifier: Name
  - columnName: TargetAccountUPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: TargetAadUserId
    identifier: AadUserId
- entityType: Account
  fieldMappings:
  - columnName: InitiatingUserPrincipalName
    identifier: FullName
  - columnName: InitiatingAccountName
    identifier: Name
  - columnName: InitiatingAccountUPNSuffix
    identifier: UPNSuffix
- entityType: Account
  fieldMappings:
  - columnName: InitiatingAadUserId
    identifier: AadUserId
- entityType: IP
  fieldMappings:
  - columnName: InitiatingIPAddress
    identifier: Address
triggerOperator: gt
version: 1.0.5
tags:
- AADSecOpsGuide