cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/AuditLogs/AccountCreatedDeletedByNonApprovedUser.yaml
42lines · modecode
unknown
| 1 | id: 6d63efa6-7c25-4bd4-a486-aa6bf50fde8a |
| 2 | name: Account created or deleted by non-approved user |
| 3 | description: | |
| 4 | 'Identifies accounts that were created or deleted by a defined list of non-approved user principal names. Add to this list before running the query for accurate results. |
| 5 | Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts' |
| 6 | severity: Medium |
| 7 | requiredDataConnectors: |
| 8 | - connectorId: AzureActiveDirectory |
| 9 | dataTypes: |
| 10 | - AuditLogs |
| 11 | queryFrequency: 1d |
| 12 | queryPeriod: 1d |
| 13 | triggerOperator: gt |
| 14 | triggerThreshold: 0 |
| 15 | tactics: |
| 16 | - InitialAccess |
| 17 | relevantTechniques: |
| 18 | - T1078.004 |
| 19 | tags: |
| 20 | - AADSecOpsGuide |
| 21 | query: | |
| 22 | // Add non-approved user principal names to the list below to search for their account creation/deletion activity |
| 23 | // ex: dynamic(["UPN1", "upn123"]) |
| 24 | let nonapproved_users = dynamic([]); |
| 25 | AuditLogs |
| 26 | | where OperationName == "Add user" or OperationName == "Delete user" |
| 27 | | where Result == "success" |
| 28 | | extend InitiatingUser = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName) |
| 29 | | where InitiatingUser has_any (nonapproved_users) |
| 30 | | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources |
| 31 | | extend AccountCustomEntity = InitiatingUser, IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) |
| 32 | entityMappings: |
| 33 | - entityType: Account |
| 34 | fieldMappings: |
| 35 | - identifier: FullName |
| 36 | columnName: AccountCustomEntity |
| 37 | - entityType: IP |
| 38 | fieldMappings: |
| 39 | - identifier: Address |
| 40 | columnName: IPCustomEntity |
| 41 | version: 1.0.1 |
| 42 | kind: Scheduled |