KQL Search

Query Details

HomeAI ToolsDevice Query

Attacker In The Middle Precision Detection

Query

// Attacker in the Middle Precision Detection

//** A premium detection requiring Entra P2 license **

// Beginning in July 2024, the ‘Attacker in the Middle’ detection is now generally available in Identity Protection. By combining this offline detection with ‘Anomalous Token’ detection, it provides high-precision detection when a malicious actor attempts to replay a token. AAD Identity Protection will raise a security alert under ‘Anomalous Token’ with the ‘attackerInTheMiddle’ risk event type, ensuring reliable detection.

let AnomalousTokenRequestId=
SecurityAlert
| where AlertName == "Anomalous Token"
| mv-expand todynamic(Entities)
| project Entities
| extend RequestId = tostring(Entities.RequestId)
| distinct RequestId;
AADUserRiskEvents
| where RequestId has_any(AnomalousTokenRequestId)
| where RiskEventType == "attackerinTheMiddle"

// #Sentinel #AiTM #AnomalousToken #IdentityProtection #Entra #PremiumDetection

Explanation

This query is designed to detect a specific type of security threat known as "Attacker in the Middle" (AiTM) within Microsoft Entra Identity Protection. Here's a simplified breakdown:

  1. Context:

    • This detection is part of a premium feature requiring an Entra P2 license.
    • It combines offline detection with "Anomalous Token" detection to identify when a malicious actor tries to replay a token.

  2. Process:

    • The query first identifies all security alerts with the name "Anomalous Token".
    • It extracts the RequestId from these alerts.
    • It then looks for user risk events that match these RequestIds and have the risk event type "attackerinTheMiddle".

  3. Outcome:

    • If such events are found, it indicates a high-precision detection of an "Attacker in the Middle" attempt, and a security alert is raised under the "Anomalous Token" category with the specific risk event type "attackerInTheMiddle".

In summary, this query helps in identifying and raising alerts for sophisticated token replay attacks by combining different detection methods within Microsoft Entra Identity Protection.

Details

Steven Lim profile picture

Steven Lim

Released: August 7, 2024

Tables

SecurityAlertAADUserRiskEvents

Keywords

SecurityAlertAADUserRiskEventsAnomalousTokenRequestIdEntitiesRequestIdAlertNameRiskEventTypeAnomalousTokenIdentityProtectionEntraPremiumDetection

Operators

let==|mv-expandtodynamicprojectextendtostringdistincthas_any

Actions