KQL Search

Query Details

HomeAI ToolsDevice Query

Detect Privilege Admin Under Ai TM Attack

Query

// Detect Privilege Admin under AiTM attack
// https://www.linkedin.com/posts/0x534c_sentinel-privilegeadmin-aitm-activity-7227603649688952832--1Id/
//Sentinel rule trigger => Run Playbook "Disable User Account"
//A simple and effective offline detection and mitigation strategy.

let PrivilegeAdmin =
IdentityInfo
| where AssignedRoles != "[]"
| distinct AccountUPN;
AADUserRiskEvents
| where RiskEventType == "attackerinTheMiddle"
| where UserPrincipalName has_any(PrivilegeAdmin)

// #Sentinel #PrivilegeAdmin #AiTM #IdentityProtection #Entra #PremiumDetection

Explanation

This KQL (Kusto Query Language) query is designed to detect if a privileged admin account is under an "Attacker in the Middle" (AiTM) attack. Here's a simplified breakdown:

  1. Identify Privileged Admins:

    • The query first identifies users with assigned roles (privileged admins) from the IdentityInfo table.
    • It filters out users who have no assigned roles and creates a distinct list of these privileged admin accounts.

  2. Detect AiTM Attacks:

    • It then checks the AADUserRiskEvents table for any risk events of type "attackerinTheMiddle".
    • It filters these events to see if any of the affected users are in the list of privileged admins identified earlier.

  3. Action:

    • If such an event is detected, the rule triggers a playbook to disable the affected user account as a mitigation strategy.

In essence, this query helps in detecting and responding to AiTM attacks targeting privileged admin accounts by disabling the compromised accounts to prevent further damage.

Details

Steven Lim profile picture

Steven Lim

Released: August 9, 2024

Tables

IdentityInfoAADUserRiskEvents

Keywords

SentinelPrivilegeAdminAiTMIdentityProtectionEntraPremiumDetection

Operators

let!=distinct|==has_any

Actions