Query Details
New Entra ID Audit Operations Detection
Query
//This query identifies new Entra ID audit operations in last 7 days vs previous 90 days
//Helps detect potential security events and anomalous behaviors
//MITRE ATT&CK: T1078, T1098, T1556
AuditLogs
| where TimeGenerated > ago(90d) and TimeGenerated < ago(7d)
| distinct OperationName
| join kind=rightanti (
AuditLogs
| where TimeGenerated > ago(7d)
| summarize NewAzureADAuditOperations=count()by OperationName, Category)
on OperationName
| sort by NewAzureADAuditOperations desc Explanation
This query is designed to identify new audit operations in Entra ID (formerly known as Azure Active Directory) that have appeared in the last 7 days but were not present in the previous 90 days. This can help in detecting potential security events and unusual behaviors. The query specifically looks for operations related to certain MITRE ATT&CK techniques: T1078 (Valid Accounts), T1098 (Account Manipulation), and T1556 (Modify Authentication Process).
Here's a breakdown of what the query does:
-
Time Filtering: It first examines audit logs from the past 90 days up to 7 days ago to find distinct operation names.
-
Comparison: It then compares these operation names with those from the last 7 days to find any new operations that were not present in the earlier period.
-
Counting New Operations: For the operations that are new in the last 7 days, it counts how many times each operation appears.
-
Sorting: Finally, it sorts these new operations by their count in descending order, highlighting the most frequently occurring new operations.
This process helps in identifying any new or unusual activities that could indicate security issues or anomalies in the system.
Details
Abiodun Adegbola
Released: November 10, 2024
Tables
Keywords
Operators