cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/AuditLogs/AuthenticationMethodChangedforPrivilegedAccount.yaml
44lines · modecode
unknown
| 1 | id: feb0a2fb-ae75-4343-8cbc-ed545f1da289 |
| 2 | name: Authentication Method Changed for Privileged Account |
| 3 | description: | |
| 4 | 'Identifies authentication methods being changed for a privileged account. This could be an indicated of an attacker adding an auth method to the account so they can have continued access. |
| 5 | Ref : https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor-1' |
| 6 | severity: High |
| 7 | requiredDataConnectors: |
| 8 | - connectorId: AzureActiveDirectory |
| 9 | dataTypes: |
| 10 | - AuditLogs |
| 11 | - connectorId: BehaviorAnalytics |
| 12 | dataTypes: |
| 13 | - BehaviorAnalytics |
| 14 | queryFrequency: 2h |
| 15 | queryPeriod: 2h |
| 16 | triggerOperator: gt |
| 17 | triggerThreshold: 0 |
| 18 | tactics: |
| 19 | - Persistence |
| 20 | relevantTechniques: |
| 21 | - T1098 |
| 22 | tags: |
| 23 | - AADSecOpsGuide |
| 24 | query: | |
| 25 | let VIPUsers = (IdentityInfo |
| 26 | | where AssignedRoles contains "Admin" |
| 27 | | summarize by tolower(AccountUPN)); |
| 28 | AuditLogs |
| 29 | | where Category =~ "UserManagement" |
| 30 | | where ActivityDisplayName =~ "User registered security info" |
| 31 | | where LoggedByService =~ "Authentication Methods" |
| 32 | | extend AccountCustomEntity = tostring(TargetResources[0].userPrincipalName), IPCustomEntity = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress) |
| 33 | | where AccountCustomEntity in (VIPUsers) |
| 34 | entityMappings: |
| 35 | - entityType: Account |
| 36 | fieldMappings: |
| 37 | - identifier: FullName |
| 38 | columnName: AccountCustomEntity |
| 39 | - entityType: IP |
| 40 | fieldMappings: |
| 41 | - identifier: Address |
| 42 | columnName: IPCustomEntity |
| 43 | version: 1.0.0 |
| 44 | kind: Scheduled |