Query Details

UEBA Behavior Anomaly On Application Management

Query

// List of (active/permanent) Directory role member with with enriched classification from EntraOps Privileged EAM
// by using IdentityInfo table from Microsoft Sentinel UEBA
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
    | where Classification.EAMTierLevelName != "Unclassified"
    | extend EAMTierLevelName = Classification.EAMTierLevelName
    | project RoleName, isPrivileged, EAMTierLevelName;
let AllUsers = IdentityInfo
    | where TimeGenerated > ago(14d)
    | mv-expand AssignedRoles
    | extend RoleName = tostring(AssignedRoles)
    | join kind=leftouter (SensitiveEntraDirectoryRoles) on RoleName
    | extend EnterpriseAccessModelLevel = iff(isempty(EAMTierLevelName), "UserAccess", EAMTierLevelName)
    | summarize
        EnterpriseAccessModelTiering = make_set(EnterpriseAccessModelLevel),
        PastRoleAssignments = make_set(RoleName),
        PastRiskLevel = make_set(RiskLevel),
        PastRiskState = make_set(RiskState)
        by UserId = AccountObjectId, UserPrincipalName = AccountUPN, IsAccountEnabled;
BehaviorAnalytics
| where TimeGenerated > ago(1h)
| where ActivityType == "ApplicationManagement"
| join kind=inner (AllUsers) on UserPrincipalName
// Increase severity if investigation priority is larger than 1 and risk on level Medium or High has been detected by the user in the past 14 days or user has no privileged directory role in the past or 
| extend Severity = iff(InvestigationPriority > 1 and (EnterpriseAccessModelTiering[0] == "UserAccess" or (PastRiskState[0] == "AtRisk" and (PastRiskLevel contains "Medium" or PastRiskLevel contains "High"))), "Low", "Informational")
// Step up severity to "High" if actor is Control Plane administrator
| extend Severity = iff(EnterpriseAccessModelTiering contains "ControlPlane" and Severity != "Informational", "Medium", Severity)
// Informational events will be filtered and not considered for incidents
| where Severity != "Informational"
| mv-expand parse_json(ActivityInsights)
| where ActivityInsights !contains "False"
| project
    Severity,
    TimeGenerated,
    InvestigationPriority,
    ActivityType,
    ActionType,
    ActivityInsights,
    EnterpriseAccessModelTiering,
    UserPrincipalName,
    SourceIPAddress,
    PastRoleAssignments,
    PastRiskLevel,
    PastRiskState,
    Type

Explanation

This query is part of a scheduled detection rule for identifying unusual behavior related to application management activities using User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown of what the query does:

  1. Data Sources:

    • It uses data from the IdentityInfo table and an external JSON file containing information about sensitive directory roles.
  2. User Role and Risk Assessment:

    • It checks users' role assignments and risk levels over the past 14 days.
    • Users are categorized based on their directory roles and risk levels. If a user has no privileged role or has a medium or high-risk level, they are flagged.
  3. Behavior Analysis:

    • It looks for application management activities in the last hour.
    • It joins this data with user information to assess the user's role and risk context.
  4. Severity Assignment:

    • If a user has a high investigation priority and certain risk conditions, the event is marked as "Low" severity.
    • If the user is a "Control Plane" administrator, the severity is increased to "Medium".
    • Events with "Informational" severity are filtered out and not used for incident creation.
  5. Incident Creation:

    • Incidents are created for events with a severity higher than "Informational".
    • The incidents are configured not to group multiple alerts into a single incident.
  6. Alert Customization:

    • Alerts are customized with specific details like the type of activity, action, and insights about the anomaly.
  7. Entity Mapping:

    • The query maps user accounts and IP addresses to their respective fields for better identification in alerts.

Overall, this query is designed to detect and alert on potentially risky behavior related to application management, considering user roles and risk levels, and escalating incidents based on predefined conditions.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: November 18, 2023

Tables

IdentityInfoBehaviorAnalytics

Keywords

UEBABehaviorAnomalyApplicationManagementActorEntraIDRoleRiskyUserRiskLevelMediumHighIncidentSeverityDirectoryMicrosoftSentinelIdentityInfoAccountObjectIdAccountUPNBehaviorAnalyticsActivityTypeApplicationManagementInvestigationPriorityEnterpriseAccessModelTieringControlPlaneAdministratorActivityInsightsSourceIPAddress

Operators

externaldatawithwhereextendprojectmv-expandjoinkind=leftouterkind=inneriffsummarizemake_setcontainsparse_json!contains

Severity

Medium

Frequency: 1h

Period: 14d

Actions

GitHub