Cloud Persistence Activities by User At Risk
Cloud Persistence Activity By User At Risk
Query
// Define PersistenceEvents, list can be appended with other events or your choosing
let PersistenceEvents = dynamic(["add member", "add device", "register device", "add service principal", "update service principal", "add user", "enable account", "add group", "Invite external user", "Add application", "add app", "User registered security info"]);
let RiskyUsers = AADRiskyUsers
| where TimeGenerated > ago(90d)
| summarize arg_max(TimeGenerated, *) by Id
// Only user active risky users. If you want to look for all users that have been risky, remove the line below.
| where RiskState in~ ('atRisk', 'confirmedCompromised')
| distinct UserDisplayName;
AuditLogs
// Filter only on the RiskyUsers defined
| where Identity in~ (RiskyUsers)
// Filter on DiscoveryEvents
| where OperationName has_any (PersistenceEvents)
| project TimeGenerated, Identity, OperationName, Category, ResultDescription, ResultAbout this query
Explanation
This query is designed to identify potentially malicious activities in a cloud environment by focusing on users who are considered "at risk." Here's a simple breakdown of what the query does:
-
Define Persistence Events: It starts by defining a list of activities that could indicate persistence attempts by an attacker, such as adding members, devices, or users, and updating service principals. These actions can help an attacker maintain access to the environment.
-
Identify Risky Users: It looks at users flagged as "at risk" or "confirmed compromised" within the last 90 days. These are users who have shown signs of risky behavior or have been confirmed to be compromised.
-
Filter Audit Logs: The query then filters audit logs to find actions performed by these risky users that match the defined persistence events.
-
Output: It outputs details such as the time of the event, the user involved, the type of operation performed, and the result of the operation.
The goal is to help security teams quickly identify and investigate users who might be compromised and are performing actions that could allow them to maintain unauthorized access to the cloud environment. If malicious activity is confirmed, the recommendation is to disable the user account to prevent further unauthorized access.
