Query Details
Changes To Azure Lighthouse Delegation
Query
id: 575db994-d562-4e3c-bfe7-bdb7ce5c673a
name: Changes to Azure Lighthouse delegation
description: |
'Identifies when Azure Lighthouse is used to to delegate resources for access through an other Azure Active Directory tenant.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActivity
dataTypes:
- AzureActivity
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
relevantTechniques:
- T1136
query: |
AzureActivity
| where OperationNameValue =~ "Microsoft.ManagedServices/registrationAssignments/Write"
| summarize ActivityStatusValue=make_list(ActivityStatusValue), timestamp = max(TimeGenerated) by IPCustomEntity=CallerIpAddress, AccountCustomEntity=Caller, SubscriptionId, OperationNameValue, CorrelationId
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
version: 1.0.0
kind: ScheduledExplanation
This query is used to identify when Azure Lighthouse is used to delegate resources for access through another Azure Active Directory tenant. It looks for a specific operation name related to registration assignments and summarizes the activity status and timestamp for each unique combination of caller IP address, caller account, subscription ID, operation name, and correlation ID. The query is scheduled to run once a day and has a medium severity level. It is relevant to the persistence tactic and the T1136 technique. The query also includes entity mappings for the Account and IP entities.
Details
Fabian Bader
Released: March 25, 2022
Tables
AzureActivity
Keywords
AzureLighthouse,AzureActiveDirectory,AzureActivity,Microsoft.ManagedServices/registrationAssignments/Write,CallerIpAddress,Caller,SubscriptionId,OperationNameValue,CorrelationId,AccountCustomEntity,IPCustomEntity,FullName,Address
Operators
|=~make_list()max()