Query Details

Threat Intelligence Data From Sentinel UEBA2

Query

// Threat Intelligence Data from Sentinel UEBA
// https://www.linkedin.com/posts/activity-7216452632528183298-MPGG/

// Are you curious to know which ISP in the world is brute force attacking your Entra tenant the most in the past 90 days? 🤔 If you have Sentinel UEBA enabled, the below KQL query will tell you the answer. I was rather surprised to see my no. 1 brute force attacker ISP when the KQL query gave me answer. 😅

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ISP = tostring(DevicesInsights.ISP)
| extend BruteForcer = tostring(ActivityInsights.UnusualNumberOfDistinctUsersFailedSignInFromIPAddress)
| where BruteForcer == "True"
| where ISP != ""
| summarize Count=count() by ISP
| sort by Count desc

// MITRE ATT&CK Mapping

// Based on the analysis, the KQL query is primarily focused on detecting brute force attacks. Here are the relevant MITRE ATT&CK techniques:

// Brute Force:
// Technique ID: T1110
// Description: Adversaries may use brute force techniques to attempt to gain access to accounts by systematically guessing passwords.
// Indicator of Compromise (IOC):
// Technique ID: T1071
// Description: This involves detecting indicators of compromise, such as unusual numbers of failed sign-ins from a single IP address.
// Data from Information Repositories:
// Technique ID: T1213
// Description: This involves extracting and analyzing data from information repositories, such as threat intelligence indicators.

Explanation

This KQL query is designed to identify which Internet Service Provider (ISP) has been conducting the most brute force attacks on your Entra tenant over the past 90 days, using data from Microsoft Sentinel's User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown of what the query does:

  1. Data Source: It uses the BehaviorAnalytics table, which contains insights on user and device behavior.

  2. Time Frame: It filters the data to include only the last 90 days.

  3. Threat Intelligence: It looks for entries that contain threat intelligence indicators related to brute force attacks.

  4. ISP Identification: It extracts the ISP information from the data.

  5. Brute Force Detection: It checks for unusual numbers of failed sign-in attempts from a single IP address, indicating a brute force attack.

  6. Data Filtering: It ensures that only entries with valid ISP information are considered.

  7. Counting and Sorting: It counts the number of brute force incidents per ISP and sorts them in descending order to identify the ISP with the highest number of attacks.

The query also maps to specific MITRE ATT&CK techniques, focusing on brute force attacks (T1110), indicators of compromise (T1071), and data extraction from information repositories (T1213).

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsDevicesInsightsActivityInsightsISPBruteForcerCount

Operators

wherecontainsextendtostringsummarizecountsortdescago!===

MITRE Techniques

Actions

GitHub