Query Details

KQL Sniper For Compromised Account Sentinel UEBA

Query

// KQL Sniper for Compromised Account (Sentinel UEBA) 
// https://www.linkedin.com/posts/activity-7199442661735374850-GqAK/

// The KQL script provided demonstrates a high level of precision in detecting a breached account by employing Sentinel UEBA analytics, given that every criterion within the conditions is satisfied. 🎯

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where ThreatIntel contains "IP Address used for validating compromised Entra ID credentials"
| where SourceDevice == "" and ActivityType != "FailedLogOn"
| where InvestigationPriority > 0
| project TimeGenerated, InvestigationPriority, UserPrincipalName, SourceIPAddress, SourceIPLocation, UsersInsights, DevicesInsights, ActivityInsights

// MITRE ATT&CK Mapping

// Based on the KQL code, the following MITRE ATT&CK techniques are relevant:

// T1078 - Valid Accounts:
// The query looks for IP addresses used for validating compromised Entra ID credentials, which aligns with the use of valid accounts by adversaries.
// T1071 - Application Layer Protocol:
// The use of IP addresses for validation may involve application layer protocols.
// T1087 - Account Discovery:
// The query involves identifying user principal names, which is related to account discovery.
// T1057 - Process Discovery:
// Although not directly mentioned, the investigation of devices and activities can relate to process discovery.
// T1589 - Gather Victim Identity Information:
// The query gathers information about user identities and their associated activities.

Explanation

This KQL query is designed to detect compromised accounts using Sentinel's User and Entity Behavior Analytics (UEBA). Here's a simplified breakdown of what the query does:

  1. Time Frame: It looks at data from the last 90 days.
  2. Threat Detection: It searches for entries in the BehaviorAnalytics table where the DevicesInsights field indicates a threat related to "ThreatIntelIndicatorType".
  3. Specific Threat: It focuses on threats where the description mentions an "IP Address used for validating compromised Entra ID credentials".
  4. Filter Conditions: It excludes entries where the SourceDevice is empty and the ActivityType is not "FailedLogOn".
  5. Priority: It only considers incidents with a positive InvestigationPriority.
  6. Output: The query projects (selects) specific fields for further analysis: TimeGenerated, InvestigationPriority, UserPrincipalName, SourceIPAddress, SourceIPLocation, UsersInsights, DevicesInsights, and ActivityInsights.

Additionally, the query is mapped to several MITRE ATT&CK techniques, which are frameworks used to understand and categorize cyber threats:

  • T1078 - Valid Accounts: The query identifies IP addresses used for validating compromised credentials, which is related to the use of valid accounts by attackers.
  • T1071 - Application Layer Protocol: The validation process may involve application layer protocols.
  • T1087 - Account Discovery: It involves identifying user principal names, which is part of discovering accounts.
  • T1057 - Process Discovery: Although not directly mentioned, analyzing device and activity insights can relate to discovering processes.
  • T1589 - Gather Victim Identity Information: The query collects information about user identities and their activities.

In summary, this query is a precise tool for identifying potentially compromised accounts by analyzing specific threat indicators and user activities, and it aligns with known cyber threat techniques.

Details

Steven Lim profile picture

Steven Lim

Released: August 25, 2024

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsDevicesInsightsThreatIntelIndicatorDescriptionSourceDeviceActivityTypeInvestigationPriorityUserPrincipalNameSourceIPAddressSourceIPLocationUsersInsightsActivityInsights

Operators

BehaviorAnalyticswhereagocontainsextendtostringproject

Actions

GitHub