Query Details

Multiple Sensitive Account Authentication In AD FS From Unexpected Device

Query

let query_frequency = 1h;
let query_period = 14d;
let _ExpectedDomain = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "DomainJoinedLDAP"
    | summarize make_list(Auxiliar)
);
let _ExpectedAuthentications = toscalar(
    _GetWatchlist("Activity-ExpectedSignificantActivity")
    | where Activity == "SensitiveAccountUnexpectedDeviceADFSAuth"
    | summarize RegEx = make_set(strcat(regex_quote(ActorPrincipalName), SourceResource))
    | extend RegEx = strcat(@"^(", strcat_array(RegEx, "|"), @")$")
);
let _Identities =
    IdentityInfo
    | where TimeGenerated > ago(query_period)
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | extend AccountUPN = tolower(AccountUPN)
;
IdentityLogonEvents
| where TimeGenerated > ago(query_frequency)
| where ActionType == "LogonSuccess" and Protocol in ("Adfs", "Ntlm") and isnotempty(DeviceName) and not(DeviceName has_any (_ExpectedDomain))
| mv-expand BinTimeGenerated = range(bin(TimeGenerated, 1s) - 1s, bin(TimeGenerated, 1s) + 1s, 1s) to typeof(datetime)
| summarize hint.shufflekey=BinTimeGenerated
    TimeGenerated = min(TimeGenerated),
    Protocols = array_sort_asc(make_set(Protocol)),
    DeviceNames = array_sort_asc(make_set(DeviceName)),
    DeviceNamesSample = array_sort_asc(make_set_if(DeviceName, not(DeviceName matches regex @"\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}"))),
    LogonTypes = array_sort_asc(make_list(LogonType)),
    AccountSid = make_set_if(AccountSid, isnotempty(AccountSid))
    by AccountUpn, BinTimeGenerated
| where Protocols has_all ("Adfs", "Ntlm") and LogonTypes has_all ("Logon with ADFS authentication", "Resource access")
| summarize take_any(*) by AccountUpn, TimeGenerated
| extend AccountUpn = tolower(AccountUpn)
| lookup kind=leftouter (_Identities | where isnotempty(AccountUPN)) on $left.AccountUpn == $right.AccountUPN
| where SourceSystem has "ActiveDirectory"
    or UserAccountControl has "PasswordNeverExpires"
    or (isempty(SourceSystem) and isempty(UserAccountControl))
| extend DeviceName = iff(array_length(DeviceNamesSample) == 1, tostring(DeviceNamesSample[0]), "")
| where not(strcat(AccountUpn, DeviceName) matches regex _ExpectedAuthentications)
| project
    TimeGenerated,
    AccountUpn,
    DeviceNames,
    DeviceName,
    LogonTypes,
    Protocols,
    UserAccountControl,
    AccountDisplayName,
    JobTitle,
    Manager,
    Department,
    OnPremisesDistinguishedName,
    Tags,
    GroupMembership,
    AssignedRoles,
    SourceSystem,
    AccountSid,
    AccountSID,
    AccountObjectId

Explanation

This query is designed to identify potentially suspicious logon events in an organization's network by analyzing identity logon events over a specified period. Here's a simplified breakdown of what the query does:

  1. Setup and Definitions:

    • It defines a query_frequency of 1 hour and a query_period of 14 days.
    • It retrieves expected domain names and authentication patterns from a watchlist called "Activity-ExpectedSignificantActivity".
  2. Identity Information:

    • It gathers the most recent identity information for each user (identified by AccountUPN) from the IdentityInfo table within the last 14 days.
  3. Logon Event Filtering:

    • It filters IdentityLogonEvents from the last hour where the logon was successful, used specific protocols (Adfs, Ntlm), and occurred on devices not in the expected domain list.
    • It expands the time range slightly around each event to ensure accurate binning.
  4. Event Summarization:

    • It summarizes the logon events by user and time, capturing details like protocols used, device names, and logon types.
    • It filters for events where both ADFS and NTLM protocols were used, and specific logon types were present.
  5. Identity Matching and Filtering:

    • It matches the summarized logon events with identity information to enrich the data.
    • It filters out events based on certain conditions related to the source system and user account control settings.
  6. Unexpected Authentication Detection:

    • It checks if the combination of user and device name matches any expected authentication patterns. If not, it flags these as potentially suspicious.
  7. Output:

    • It projects a set of fields including time, user information, device details, logon types, protocols, and additional identity attributes for further analysis or alerting.

Overall, this query is used to detect unusual or unexpected logon activities that might indicate security issues, such as unauthorized access attempts or compromised accounts.

Details

Jose Sebastián Canós profile picture

Jose Sebastián Canós

Released: December 26, 2023

Tables

Activity-ExpectedSignificantActivityIdentityInfoIdentityLogonEvents

Keywords

ActivityDevicesIdentityLogonEventsAccountUserManagerDepartmentGroupMembershipRolesSourceSystem

Operators

lettoscalarwheresummarizemake_listmake_setstrcatregex_quoteextendtoloweragoarg_maxbinisnotemptyhas_anymv-expandrangetypeofdatetimehint.shufflekeyminarray_sort_ascmake_set_ifmatchesregextake_anylookupkindleftouteron$left==$righthasorisemptyiffarray_lengthtostringnotproject

Actions

GitHub