Query Details

ATP Detection For Critical Identities

Query

// ATP Detection for Critical Identities
// https://www.linkedin.com/posts/activity-7190937404625584128-hgdO/

// Custom DefenderXDR detection for CloudApp Advanced Threat Protection for Tier 0 Critical Identities giving you a comprehensive all-round threat monitoring. 

let HighlyPrivilegedAdmins =
ExposureGraphNodes
| where set_has_element(Categories, "identity")
| where isnotnull(NodeProperties.rawData.criticalityLevel) and 
NodeProperties.rawData.criticalityLevel.criticalityLevel==0 
| extend EntraObjectID = NodeProperties.rawData.accountObjectId
| project EntraObjectID;
CloudAppEvents
| where ActionType == "AtpDetection"
| extend DetectionMethod = tostring(RawEventData.DetectionMethod)
| extend AccountUpn = RawEventData.UserId
| where AccountUpn has_any(HighlyPrivilegedAdmins)

//MITRE ATT&CK Mapping
//Based on the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The query is identifying and monitoring highly privileged accounts, which aligns with the technique of using valid accounts for persistence and privilege escalation1.
// T1071 - Application Layer Protocol:
// The CloudAppEvents table and the AtpDetection action type suggest monitoring for suspicious activities in cloud applications, which can involve the use of application layer protocols2.
// T1087 - Account Discovery:
// The query involves discovering highly privileged accounts, which aligns with the technique of account discovery3.
// T1057 - Process Discovery:
// The detection method and user ID extensions indicate monitoring for specific processes or actions taken by privileged accounts4.

Explanation

This query is designed to detect potential threats involving highly privileged accounts (Tier 0 Critical Identities) using Microsoft Defender for Cloud Apps. Here's a simplified breakdown of what the query does:

  1. Identify Highly Privileged Accounts:

    • It first identifies accounts with a criticality level of 0, which are considered highly privileged, from a dataset called ExposureGraphNodes.
    • It extracts the unique identifiers (EntraObjectID) for these accounts.
  2. Monitor Cloud Application Events:

    • It then looks at events in the CloudAppEvents table where the action type is "AtpDetection," indicating that these are advanced threat protection detections.
    • It checks if any of these events involve the highly privileged accounts identified earlier.
  3. MITRE ATT&CK Techniques:

    • The query is related to several MITRE ATT&CK techniques:
      • T1078 - Valid Accounts: It monitors the use of valid, highly privileged accounts, which could be used for unauthorized access or privilege escalation.
      • T1071 - Application Layer Protocol: It involves monitoring cloud application activities, which may use application layer protocols.
      • T1087 - Account Discovery: It identifies and monitors highly privileged accounts, aligning with the technique of discovering accounts.
      • T1057 - Process Discovery: The query extends detection methods and user IDs, suggesting monitoring of specific actions or processes by these accounts.

Overall, this query helps in comprehensive threat monitoring by focusing on critical identities and their activities in cloud applications.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

ExposureGraphNodesCloudAppEvents

Keywords

ExposureGraphNodesCategoriesNodePropertiesCloudAppEventsActionTypeRawEventDataEntraObjectIDAccountUpnDetectionMethod

Operators

letset_has_elementwhereisnotnulland==extendtostringprojecthas_any

MITRE Techniques

Actions

GitHub