KQL Search

Query Details

HomeAI ToolsDevice Query

Monitor Privilege User SSPR

Query

// Monitor Privilege User SSPR

// In today’s post by Merill, he explains how to use Maester to monitor SSPR settings for admin accounts. I agree that administrators with sensitive roles should exclusively use phishing-resistant authentication methods, which would prevent them from resetting their passwords. However, not all organizations have the cyber maturity to transition all admins to phishing-resistant authentication. Therefore, SecOps should continue to monitor SSPR for privileged users in the Entra tenant. The KQL below provides the necessary monitoring 

let queryperiod = 30d;
let queryfrequency = 1h;
let PrivilegeUsers = (
    IdentityInfo
    | where TimeGenerated > ago(queryperiod)
    | mv-expand AssignedRoles
    | where AssignedRoles matches regex 'Admin'
    | summarize by tolower(AccountUPN));
AuditLogs
| where TimeGenerated > ago(queryfrequency)
| where ResultDescription == "User started self-service password reset operation."
| extend AccountUPN = tolower(InitiatedBy.user.userPrincipalName)
| extend IPAdress = InitiatedBy.user.ipAddress
| where AccountUPN in (PrivilegeUsers)

// MITRE ATT&CK Mapping
// Privilege Escalation (T1078.004 - Valid Accounts: Cloud Accounts):
// The query identifies privileged users by checking for roles that match ‘Admin’. This is related to the use of valid accounts with elevated privileges.
// Credential Access (T1110.001 - Brute Force):
// Monitoring self-service password reset operations can help detect potential brute force attempts or misuse of password reset functionalities.
// Defense Evasion (T1078 - Valid Accounts):
// By focusing on privileged accounts, the query helps in identifying if legitimate accounts are being used to evade detection mechanisms.
// Initial Access (T1078.004 - Valid Accounts: Cloud Accounts):
// The detection of self-service password reset operations by privileged users can indicate an initial access attempt using valid credentials.

Explanation

This KQL query is designed to monitor self-service password reset (SSPR) activities for privileged users (like administrators) in an Entra tenant. Here's a simple breakdown:

  1. Define Monitoring Periods:

    • queryperiod is set to 30 days.
    • queryfrequency is set to 1 hour.

  2. Identify Privileged Users:

    • The query looks at the IdentityInfo table for the past 30 days.
    • It expands the roles assigned to users and filters for roles that include 'Admin'.
    • It then creates a list of these privileged users by their account usernames (UPNs).

  3. Monitor SSPR Activities:

    • The query checks the AuditLogs table for the past hour.
    • It looks for logs where the result description indicates a user started an SSPR operation.
    • It normalizes the usernames to lowercase for consistency and extracts the IP address of the user initiating the reset.
    • It filters these logs to include only those initiated by the previously identified privileged users.

  4. Security Context (MITRE ATT&CK Mapping):

    • Privilege Escalation: Identifies privileged users to monitor for misuse of elevated accounts.
    • Credential Access: Helps detect potential brute force attacks or misuse of SSPR.
    • Defense Evasion: Focuses on privileged accounts to spot if legitimate accounts are being used to bypass security.
    • Initial Access: Detects if SSPR operations by privileged users indicate an initial access attempt using valid credentials.

In summary, this query helps security operations teams monitor and detect potentially suspicious SSPR activities by privileged users, enhancing the security posture against various attack techniques.

Details

Steven Lim profile picture

Steven Lim

Released: September 3, 2024

Tables

IdentityInfoAuditLogs

Keywords

PrivilegeUsersSSPRAdminAccountsAuthenticationSecOpsEntraTenantIdentityInfoAuditLogsUserIPAddressPrivilegeEscalationCredentialAccessDefenseEvasionInitialAccess

Operators

letagomv-expandmatches regexsummarizetolowerwhereextendin

Actions