Query Details

Rule : User Reported MFA Suspicious Activity

MFA Suspicious

Query

AuditLogs
| where Category == "UserManagement"
| where ActivityDisplayName <> "Update user"
| where OperationName contains "reported"
| extend username = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| join kind=inner (
    // Get sign-in logs that match the username
    SigninLogs
    | extend username = UserPrincipalName
    | project username, IPAddress, TimeGenerated
) on username
| distinct TimeGenerated, username, ActivityDisplayName, OperationName, IPAddress

About this query

Explanation

Summary of the Query

This query is designed to detect suspicious user management activities in Azure Active Directory (AAD) by analyzing audit logs and correlating them with sign-in logs. Here's a simplified breakdown:

  1. Purpose: To identify potential unauthorized access by flagging unusual user management activities that are reported as suspicious.
  2. Focus: It looks for activities in the audit logs that:
    • Are categorized under "UserManagement".
    • Are not related to updating user profiles.
    • Contain terms indicating they were reported as suspicious.
  3. Correlation: It cross-references these suspicious activities with sign-in logs to gather additional details like IP addresses and timestamps, which helps in investigating potential account compromises.

Detection Logic

  • Audit Logs:
    • Filter for user management activities (Category == "UserManagement").
    • Exclude activities related to updating user profiles (ActivityDisplayName <> "Update user").
    • Include only those operations that are reported as suspicious (OperationName contains "reported").
  • Sign-in Logs:
    • Match the suspicious activities with sign-in logs based on the username.
    • Retrieve corresponding IP addresses and timestamps of the sign-ins.

Query Breakdown

  1. Filter Audit Logs:
    • Look for user management activities that are not typical updates and are reported as suspicious.
  2. Extract Username:
    • Parse the username from the InitiatedBy field in the audit logs.
  3. Join with Sign-in Logs:
    • Match the extracted usernames with sign-in logs to get IP addresses and timestamps.
  4. Output:
    • Display distinct records of the suspicious activities along with the associated sign-in details.

Tags

  • User Management
  • Account Compromise
  • Azure Active Directory
  • Suspicious Activity
  • Audit Logs
  • Sign-In Logs
  • Security Investigation

Important Note

The query might miss activities where the IP addresses are not present in the sign-in logs. The first part of the query (filtering audit logs) can be used independently as a detection rule.

Details

Ali Hussein profile picture

Ali Hussein

Released: August 14, 2024

Tables

AuditLogsSigninLogs

Keywords

UserManagementAccountCompromiseAzureActiveDirectorySuspiciousActivityAuditLogsSign-InSecurityInvestigation

Operators

==<>containsextendtostringparse_jsonjoinkindprojectdistinct

Actions

GitHub