KQL Search

Query Details

HomeAI ToolsDevice Query

MFA Suspicious

Query

# Rule : User Reported MFA Suspicious Activity

## Description
This detection rule identifies and correlates suspicious user management activities within Azure Active Directory (AAD) audit logs with sign-in logs to provide a comprehensive overview of potential unauthorized access. This rule is particularly focused on operations that deviate from normal user management activities, such as those that are not associated with updating user profiles, and that contain terms indicative of reported activities.

Azure AD provides functionality for reporting suspicious activity, helping administrators to investigate and mitigate potential security threats. This rule leverages similar principles by flagging and investigating user management operations that could indicate malicious intent, such as attempts to change user information after unauthorized access.

By cross-referencing these user management events with corresponding sign-in logs, this rule helps to identify potentially compromised accounts and provides the necessary details, such as the IP address and the time of the related sign-in event, to facilitate a thorough investigation.

- [Microsoft Tech Community on Reporting Suspicious Activity](https://techcommunity.microsoft.com/t5/microsoft-entra/report-suspicious-activity-preview/m-p/3751886)

## Detection Logic
- Monitors `AuditLogs` for suspicious user management activities where:
  - The `Category` is `"UserManagement"`,
  - The `ActivityDisplayName` is not `"Update user"`,
  - The `OperationName` contains `"reported"`.
- Correlates these activities with `SigninLogs` based on the username to include information such as IP addresses and timestamps of the associated sign-ins.

## Tags
- User Management
- Account Compromise
- Azure Active Directory
- Suspicious Activity
- Audit Logs
- Sign-In Logs
- Security Investigation

## Search Query
```kql
AuditLogs
| where Category == "UserManagement"
| where ActivityDisplayName <> "Update user"
| where OperationName contains "reported"
| extend username = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| join kind=inner (
    // Get sign-in logs that match the username
    SigninLogs
    | extend username = UserPrincipalName
    | project username, IPAddress, TimeGenerated
) on username
| distinct TimeGenerated, username, ActivityDisplayName, OperationName, IPAddress
```
Note:
This might not report activities where IP addresses weren't in signinlogs. first part of the query can be used as a detection rule by itself

Explanation

Summary of the Query

This query is designed to detect suspicious user management activities in Azure Active Directory (AAD) by analyzing audit logs and correlating them with sign-in logs. Here's a simplified breakdown:

  1. Purpose: To identify potential unauthorized access by flagging unusual user management activities that are reported as suspicious.
  2. Focus: It looks for activities in the audit logs that:
    • Are categorized under "UserManagement".
    • Are not related to updating user profiles.
    • Contain terms indicating they were reported as suspicious.
  3. Correlation: It cross-references these suspicious activities with sign-in logs to gather additional details like IP addresses and timestamps, which helps in investigating potential account compromises.

Detection Logic

  • Audit Logs:
    • Filter for user management activities (Category == "UserManagement").
    • Exclude activities related to updating user profiles (ActivityDisplayName <> "Update user").
    • Include only those operations that are reported as suspicious (OperationName contains "reported").
  • Sign-in Logs:
    • Match the suspicious activities with sign-in logs based on the username.
    • Retrieve corresponding IP addresses and timestamps of the sign-ins.

Query Breakdown

  1. Filter Audit Logs:
    • Look for user management activities that are not typical updates and are reported as suspicious.
  2. Extract Username:
    • Parse the username from the InitiatedBy field in the audit logs.
  3. Join with Sign-in Logs:
    • Match the extracted usernames with sign-in logs to get IP addresses and timestamps.
  4. Output:
    • Display distinct records of the suspicious activities along with the associated sign-in details.

Tags

  • User Management
  • Account Compromise
  • Azure Active Directory
  • Suspicious Activity
  • Audit Logs
  • Sign-In Logs
  • Security Investigation

Important Note

The query might miss activities where the IP addresses are not present in the sign-in logs. The first part of the query (filtering audit logs) can be used independently as a detection rule.

Details

Ali Hussein profile picture

Ali Hussein

Released: August 14, 2024

Tables

AuditLogsSigninLogs

Keywords

UserManagementAccountCompromiseAzureActiveDirectorySuspiciousActivityAuditLogsSign-InLogsSecurityInvestigation

Operators

==<>containsextendtostringparse_jsonjoinkindprojectdistinct

Actions