Microsoft Entra Identity Attack Threat Detection
Query
//Microsoft Entra Identity Attack Threat Detection
//https://www.linkedin.com/pulse/microsoft-entra-identity-attack-threat-detection-steven-lim-tycnc/
let companydomain = "@contoso.com"; //update your corporate domain
AzureActivity
| where TimeGenerated > ago(1h)
| where CategoryValue == "Administrative"
| where Caller contains "@" and Caller !contains companydomain
// MITRE ATT&CK Mapping
// This query can be associated with the following MITRE ATT&CK techniques:
// T1078 - Valid Accounts:
// Description: Adversaries may use valid accounts to gain access to and perform actions within systems, networks, and services.
//Relevance: The query detects administrative actions by users outside the corporate domain, which could indicate the use of compromised or unauthorized accounts.
// T1087 - Account Discovery:
// Description: Adversaries may attempt to get a listing of local system or domain accounts.
// Relevance: Monitoring administrative activities helps in identifying unauthorized account usage.
// T1098 - Account Manipulation:
// Description: Adversaries may manipulate accounts to maintain access to credentials and permissions.
// Relevance: Detecting administrative actions by external users can help identify attempts to manipulate accounts.
// T1110 - Brute Force:
// Description: Adversaries may use brute force techniques to attempt access to accounts.
// Relevance: Unusual administrative activities by external users could indicate brute force attempts.Explanation
This query is designed to monitor and detect potential security threats related to administrative activities in a Microsoft Azure environment. Here's a simple breakdown of what it does:
-
Domain Filtering: It sets a specific corporate domain (e.g., "@contoso.com") to identify which users belong to the company.
-
Time Frame: It looks at activities that have occurred in the last hour.
-
Activity Type: It focuses on activities categorized as "Administrative," which typically involve changes or configurations that could impact the system.
-
User Filtering: It filters out activities performed by users whose email addresses contain an "@" symbol but do not belong to the specified corporate domain. This helps identify actions taken by users outside the organization.
-
Security Implications: The query is linked to several MITRE ATT&CK techniques, which are common tactics used by adversaries:
- T1078 (Valid Accounts): Detects if external users are performing administrative actions, which might indicate compromised or unauthorized account usage.
- T1087 (Account Discovery): Helps identify unauthorized account usage by monitoring administrative activities.
- T1098 (Account Manipulation): Aims to spot attempts to manipulate accounts by detecting administrative actions from external users.
- T1110 (Brute Force): Unusual administrative activities by external users could suggest brute force attempts to access accounts.
In summary, this query helps identify potentially suspicious administrative actions by users outside the corporate domain, which could indicate security threats such as compromised accounts or unauthorized access attempts.
