UEBA Behavior Anomaly On Application Management
Query
// List of (active/permanent) Directory role member with with enriched classification from EntraOps Privileged EAM
// by using IdentityInfo table from Microsoft Sentinel UEBA
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| extend EAMTierLevelName = Classification.EAMTierLevelName
| project RoleName, isPrivileged, EAMTierLevelName;
let AllUsers = IdentityInfo
| where TimeGenerated > ago(14d)
| mv-expand AssignedRoles
| extend RoleName = tostring(AssignedRoles)
| join kind=leftouter (SensitiveEntraDirectoryRoles) on RoleName
| extend EnterpriseAccessModelLevel = iff(isempty(EAMTierLevelName), "UserAccess", EAMTierLevelName)
| summarize
EnterpriseAccessModelTiering = make_set(EnterpriseAccessModelLevel),
PastRoleAssignments = make_set(RoleName),
PastRiskLevel = make_set(RiskLevel),
PastRiskState = make_set(RiskState)
by UserId = AccountObjectId, UserPrincipalName = AccountUPN, IsAccountEnabled;
BehaviorAnalytics
| where TimeGenerated > ago(1h)
| where ActivityType == "ApplicationManagement"
| join kind=inner (AllUsers) on UserPrincipalName
// Increase severity if investigation priority is larger than 1 and risk on level Medium or High has been detected by the user in the past 14 days or user has no privileged directory role in the past or
| extend Severity = iff(InvestigationPriority > 1 and (EnterpriseAccessModelTiering[0] == "UserAccess" or (PastRiskState[0] == "AtRisk" and (PastRiskLevel contains "Medium" or PastRiskLevel contains "High"))), "Low", "Informational")
// Step up severity to "High" if actor is Control Plane administrator
| extend Severity = iff(EnterpriseAccessModelTiering contains "ControlPlane" and Severity != "Informational", "Medium", Severity)
// Informational events will be filtered and not considered for incidents
| where Severity != "Informational"
| mv-expand parse_json(ActivityInsights)
| where ActivityInsights !contains "False"
| project
Severity,
TimeGenerated,
InvestigationPriority,
ActivityType,
ActionType,
ActivityInsights,
EnterpriseAccessModelTiering,
UserPrincipalName,
SourceIPAddress,
PastRoleAssignments,
PastRiskLevel,
PastRiskState,
TypeExplanation
This query is part of a scheduled detection rule for identifying unusual behavior related to application management activities using User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown of what the query does:
-
Data Sources:
- It uses data from the
IdentityInfotable and an external JSON file containing information about sensitive directory roles.
- It uses data from the
-
User Role and Risk Assessment:
- It checks users' role assignments and risk levels over the past 14 days.
- Users are categorized based on their directory roles and risk levels. If a user has no privileged role or has a medium or high-risk level, they are flagged.
-
Behavior Analysis:
- It looks for application management activities in the last hour.
- It joins this data with user information to assess the user's role and risk context.
-
Severity Assignment:
- If a user has a high investigation priority and certain risk conditions, the event is marked as "Low" severity.
- If the user is a "Control Plane" administrator, the severity is increased to "Medium".
- Events with "Informational" severity are filtered out and not used for incident creation.
-
Incident Creation:
- Incidents are created for events with a severity higher than "Informational".
- The incidents are configured not to group multiple alerts into a single incident.
-
Alert Customization:
- Alerts are customized with specific details like the type of activity, action, and insights about the anomaly.
-
Entity Mapping:
- The query maps user accounts and IP addresses to their respective fields for better identification in alerts.
Overall, this query is designed to detect and alert on potentially risky behavior related to application management, considering user roles and risk levels, and escalating incidents based on predefined conditions.
Details

Thomas Naunheim
Released: November 18, 2023
Tables
IdentityInfoBehaviorAnalytics
Keywords
UEBABehaviorAnomalyApplicationManagementActorEntraIDRoleRiskyUserRiskLevelMediumHighIncidentSeverityDirectoryMicrosoftSentinelIdentityInfoAccountObjectIdAccountUPNBehaviorAnalyticsActivityTypeApplicationManagementInvestigationPriorityEnterpriseAccessModelTieringControlPlaneAdministratorActivityInsightsSourceIPAddress
Operators
externaldatawithwhereextendprojectmv-expandjoinkind=leftouterkind=inneriffsummarizemake_setcontainsparse_json!contains
Severity
MediumFrequency: 1h
Period: 14d