Query Details

Suspicious activity from unknown or risky IP addresses to Azure AD SSPR

Suspicious SSPR Activity

Query

let SignInLookback = 14d;
let SSPRLookback = 1d;
let maxTimeBetweenSSPRandSigninInMinutes=7*24*60; // per Default max. difference is set to 7 Days
AuditLogs
| where TimeGenerated >= ago(SSPRLookback)
| where LoggedByService == "Self-service Password Management" and ResultDescription == "User completed all verification steps required to reset their password"
| extend AccountType = tostring(TargetResources[0].type), UserPrincipalName = tolower(tostring(TargetResources[0].userPrincipalName)),
  TargetResourceName = tolower(tostring(TargetResources[0].displayName)), SSPRSourceIP = tostring(InitiatedBy.user.ipAddress)
| project UserPrincipalName, SSPRSourceIP, SSPRAttemptTime = TimeGenerated, CorrelationId
| join kind= leftouter (
    union AADNonInteractiveUserSignInLogs, SigninLogs
    | where datetime_add('minute',maxTimeBetweenSSPRandSigninInMinutes,TimeGenerated) >= ago(SignInLookback)
    | where ResultType == "0"
    | where RiskLevelAggregated == "none" or RiskLevelDuringSignIn == "none"
    | extend TrustedIP = tostring(IPAddress)
    | project UserPrincipalName=tolower(UserPrincipalName), TrustedIP, SignInTime = TimeGenerated
) on UserPrincipalName
| where SSPRAttemptTime > coalesce(SignInTime, datetime(0))
| extend TimeDifferenceInMinutes= iif(SSPRSourceIP==TrustedIP,datetime_diff("Minute",SignInTime,SSPRAttemptTime), 0), Match=SSPRSourceIP==TrustedIP
| where TimeDifferenceInMinutes >= -maxTimeBetweenSSPRandSigninInMinutes
| summarize  SignInsFromTheSameIP=countif(Match), min(TimeDifferenceInMinutes) by UserPrincipalName, CorrelationId, SSPRAttemptTime, SSPRSourceIP   //SignInsFromTheSameIP=0 if no sign in came from the IP used for SSPR in the last maxTimeBetweenSSPRandSigninInMinutes
| where SignInsFromTheSameIP == "0"
| project timestamp = SSPRAttemptTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = SSPRSourceIP

Explanation

This query is designed to detect suspicious activity related to password reset attempts in Azure Active Directory (Azure AD). Here's a simplified breakdown:

  1. Purpose: The query identifies instances where a user attempts to reset their password from an IP address that hasn't been used for a successful sign-in without risk in the past 14 days.

  2. Severity: The alert is considered medium severity, indicating a potential security concern that should be investigated.

  3. Data Sources: It uses data from Azure AD's sign-in logs and non-interactive user sign-in logs to gather information about user sign-ins and password reset attempts.

  4. Time Frame: The query looks back over the last 14 days for sign-in activity and the last day for password reset attempts.

  5. Logic:

    • It checks for password reset attempts completed successfully through Azure AD's Self-Service Password Reset (SSPR) service.
    • It then compares the IP address used for the password reset attempt with IP addresses used for previous successful sign-ins.
    • If the IP address used for the password reset hasn't been used for a successful sign-in in the past 7 days, it flags this as suspicious.
  6. Output: The query outputs the time of the password reset attempt, the user's principal name, and the IP address used for the attempt.

  7. Entity Mappings: It maps the user and IP address to entities for further investigation.

Overall, this query helps identify potentially unauthorized password reset attempts from unfamiliar or risky IP addresses, which could indicate an attempt to gain unauthorized access to a user's account.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: April 9, 2024

Tables

AuditLogsAADNonInteractiveUserSignInLogsSigninLogs

Keywords

AzureActiveDirectoryAuditLogsUserIPAddressPasswordManagementAccountSignin

Operators

letagodatetime_addunionwhereextendtostringtolowerprojectjoinoncoalescedatetimeiifdatetime_diffsummarizecountifmin

Severity

Medium

Tactics

InitialAccessCredentialAccess

MITRE Techniques

Frequency: 1d

Period: 14d

Actions

GitHub