Query Details
New Lighthouse Service Provider Was Added
Query
id: 0193072c-afc9-4fd1-ac9a-c4add164e40d
name: A new Lighthouse service provider was added
version: 1.0.0
kind: Scheduled
description: A service provider was added using Lighthouse
severity: Informational
queryFrequency: 30m
queryPeriod: 30m
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
query: |-
AzureActivity
| where OperationNameValue =~ "Microsoft.ManagedServices/registrationAssignments/Write"
| extend timestamp = TimeGenerated, AccountCustomEntity = Caller, IPCustomEntity = CallerIpAddress
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
- entityType: AzureResource
fieldMappings:
- identifier: ResourceId
columnName: SubscriptionId
suppressionDuration: 5h
Explanation
This query is looking for Azure activity related to adding a new service provider using Lighthouse. It checks for operations with the name "Microsoft.ManagedServices/registrationAssignments/Write" and extracts the timestamp, account, and IP information. Incidents will be created for each alert, and there is no grouping or suppression enabled. The query runs every 30 minutes and looks back 5 hours for matching events.
Details
Fabian Bader
Released: July 25, 2023
Tables
AzureActivity
Keywords
Devices,Intune,User
Operators
|==~whereextendTimeGeneratedCallerCallerIpAddressfalsetrueenabledreopenClosedIncident5hAllEntities[]SingleAlertAccountFullNameIPAddressAzureResourceResourceIdSubscriptionId