KQL Search

Query Details

HomeAI ToolsDevice Query

KQL Sniper For Compromised Account Sentinel UEBA

Query

// KQL Sniper for Compromised Account (Sentinel UEBA) 
// https://www.linkedin.com/posts/activity-7199442661735374850-GqAK/

// The KQL script provided demonstrates a high level of precision in detecting a breached account by employing Sentinel UEBA analytics, given that every criterion within the conditions is satisfied. 🎯

BehaviorAnalytics
| where TimeGenerated > ago(90d)
| where DevicesInsights contains "ThreatIntelIndicatorType"
| extend ThreatIntel=tostring(DevicesInsights.ThreatIntelIndicatorDescription)
| where ThreatIntel contains "IP Address used for validating compromised Entra ID credentials"
| where SourceDevice == "" and ActivityType != "FailedLogOn"
| where InvestigationPriority > 0
| project TimeGenerated, InvestigationPriority, UserPrincipalName, SourceIPAddress, SourceIPLocation, UsersInsights, DevicesInsights, ActivityInsights

Explanation

This KQL query is designed to detect compromised accounts using Sentinel User and Entity Behavior Analytics (UEBA). Here's a simplified summary:

  1. Data Source: It starts by querying the BehaviorAnalytics table.
  2. Time Frame: It looks at data from the past 90 days.
  3. Filtering for Threat Indicators: It filters records that contain threat intelligence indicators related to device insights.
  4. Specific Threat Description: It further narrows down to records where the threat intelligence description mentions an IP address used for validating compromised Entra ID credentials.
  5. Additional Conditions: It excludes records where the source device is unspecified and the activity type is not a failed login.
  6. Priority Check: It only includes records with an investigation priority greater than zero.
  7. Selected Fields: Finally, it selects and displays specific fields: TimeGenerated, InvestigationPriority, UserPrincipalName, SourceIPAddress, SourceIPLocation, UsersInsights, DevicesInsights, and ActivityInsights.

In essence, this query identifies high-priority incidents involving compromised accounts based on specific threat intelligence and activity patterns.

Details

Steven Lim profile picture

Steven Lim

Released: August 2, 2024

Tables

BehaviorAnalytics

Keywords

BehaviorAnalyticsDevicesThreatIntelUserActivity

Operators

BehaviorAnalytics|where>agocontainsextendtostring==!=project

Actions