Query Details

Sentinel All In One UPN Threat Hunt

Query

// Sentinel All-In-One UPN ThreatHunt
// https://www.linkedin.com/pulse/microsoft-sentinel-kql-solo-leveling-steven-lim-8hsqc/

// This KQL query searches across these Sentinel log tables for the UPN variable that is defined at the start:
// Anomalies, CloudAppEvents, CommonSecurityLog, DeviceEvents, DeviceFileEvents, DeviceLogonEvents, AzureActivity, EmailEvents, OfficeActivity, SecurityEvent, BehaviorAnalytics

let upn = "[email protected]";
search in (Anomalies,CloudAppEvents,CommonSecurityLog,DeviceEvents,DeviceFileEvents,DeviceLogonEvents,AzureActivity,
EmailEvents,OfficeActivity,SecurityEvent,BehaviorAnalytics)
TimeGenerated between (ago(1d) .. now())
and (
// ** Events initiated by this UPN **
UserPrincipalName == upn                        // Anomalies, BehaviorAnalytics 
or tostring(RawEventData.UserId) == upn         // CloudAppEvents 
or SourceUserName == upn                        // CommonSecurityLog
or AccountName == upn                           // DeviceEvents
or InitiatingProcessAccountUpn  == upn          // DeviceFileEvents, DeviceLogonEvents  
or Caller == upn                                // AzureActivity
or RecipientEmailAddress == upn                 // EmailEvents
or SenderMailFromAddress == upn                 // EmailEvents
or UserId == upn                                // OfficeActivity
or Entities contains upn                        // SecurityEvent
) 

// MITRE ATT&CK Mapping

// Based on the fields and data sources used in the KQL query, here are some potential MITRE ATT&CK techniques that could be detected:

// T1078 - Valid Accounts: The query checks for events where the UPN is used, which can help identify the use of valid accounts across different services and logs.
// T1059 - Command and Scripting Interpreter: If the DeviceEvents or DeviceFileEvents tables include script execution logs, this technique could be relevant.
// T1071 - Application Layer Protocol: The EmailEvents table checks for email activities, which can be mapped to this technique if emails are used for command and control.
// T1106 - Execution: The DeviceLogonEvents and DeviceFileEvents tables can help detect execution of processes or files.
// T1110 - Brute Force: The SecurityEvent table can be used to detect brute force attempts if it includes authentication logs.
// T1040 - Network Sniffing: If CommonSecurityLog includes network traffic logs, this technique could be relevant.
// T1087 - Account Discovery: The AzureActivity table can help detect account discovery activities in Azure environments.

Explanation

This KQL (Kusto Query Language) query is designed to search for activities associated with a specific user, identified by their User Principal Name (UPN), across various log tables in Microsoft Sentinel. Here's a simplified breakdown of what the query does:

  1. Define the User: The query starts by specifying a particular user with the UPN "[email protected]".

  2. Search Across Logs: It searches for any events related to this user across multiple log tables, including:

    • Anomalies
    • CloudAppEvents
    • CommonSecurityLog
    • DeviceEvents
    • DeviceFileEvents
    • DeviceLogonEvents
    • AzureActivity
    • EmailEvents
    • OfficeActivity
    • SecurityEvent
    • BehaviorAnalytics
  3. Time Frame: The search is limited to events that occurred within the last day.

  4. User Activity: The query looks for various types of user activities, such as:

    • Logins
    • File access
    • Email sending/receiving
    • Azure activities
    • Security events
  5. MITRE ATT&CK Techniques: The query can help identify potential security threats by mapping detected activities to known MITRE ATT&CK techniques, such as:

    • Use of valid accounts
    • Script execution
    • Email-based command and control
    • Process execution
    • Brute force attacks
    • Network sniffing
    • Account discovery

In essence, this query is a comprehensive threat-hunting tool that helps security analysts monitor and investigate user activities across different platforms and services to detect potential security incidents.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

AnomaliesCloudAppEventsCommonSecurityLogDeviceEventsDeviceFileEventsDeviceLogonEventsAzureActivityEmailEventsOfficeActivitySecurityEventBehaviorAnalytics

Keywords

AnomaliesCloudAppEventsCommonSecurityLogDeviceEventsDeviceFileEventsDeviceLogonEventsAzureActivityEmailEventsOfficeActivitySecurityEventBehaviorAnalyticsUserPrincipalNameRawEventDataUserIdSourceUserNameAccountNameInitiatingProcessAccountUpnCallerRecipientEmailAddressSenderMailFromAddressEntities

Operators

letsearchinbetweenagonowand==tostringcontains

Actions

GitHub