KQL Search

Query Details

HomeAI ToolsDevice Query

Potential Malicious Sign In From Azure AD Connect Account UEBA

Query

id: a4fe163e-aec6-407c-8240-ef280742a5f4
name: Potential malicious sign-in from Azure AD Connect account (UEBA)
version: 1.0.1
kind: Scheduled
description: The Azure AD Connect account is accessing an ressource that it must not access. This is a high-fidelity sign of malicious actions.
severity: High
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - LateralMovement
relevantTechniques:
  - T0859
query: |-
  let DirectorySyncAdmins = (IdentityInfo
      | where TimeGenerated > ago(14d)
      | where AssignedRoles contains "Directory Synchronization Accounts"
      | distinct AccountUPN);
  union isfuzzy=true SigninLogs, AADNonInteractiveUserSignInLogs
  | where ingestion_time() > ago(70m)
  | where UserPrincipalName in~ ( DirectorySyncAdmins )
  // Only alert when AppId != Microsoft Azure Active Directory Connect and the ressource is not AAD 
  | where AppId != "cb1056e2-e479-49de-ae31-7812af012ed8" and ResourceDisplayName != "Windows Azure Active Directory"
suppressionDuration: 5h
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    matchingMethod: Selected
    reopenClosedIncident: false
    groupByCustomDetails: []
    groupByEntities:
      - Account
    groupByAlertDetails: []
    lookbackDuration: 1h
    enabled: true
eventGroupingSettings:
  aggregationKind: AlertPerResult
entityMappings:
  - entityType: CloudApplication
    fieldMappings:
      - columnName: AppId
        identifier: AppId
  - entityType: CloudApplication
    fieldMappings:
      - columnName: AppDisplayName
        identifier: Name
  - entityType: IP
    fieldMappings:
      - columnName: IPAddress
        identifier: Address
  - entityType: Account
    fieldMappings:
      - columnName: UserPrincipalName
        identifier: FullName
  - entityType: Account
    fieldMappings:
      - columnName: UserId
        identifier: AadUserId
suppressionEnabled: false

Explanation

This query is designed to detect potential malicious sign-ins from an Azure AD Connect account. It looks for instances where the account is accessing a resource that it should not have access to. The query frequency is set to every 1 hour, and it analyzes data from the past 14 days. The severity of this potential threat is classified as high. The query also includes tactics and relevant techniques related to lateral movement. The query is written in KQL (Kusto Query Language) and uses various filters and conditions to identify suspicious activities. If an incident is detected, it will create an incident and group it by the account involved. The query also includes entity mappings to map different types of entities such as cloud applications, IP addresses, and user accounts. Suppression is not enabled for this query.

Details

Fabian Bader profile picture

Fabian Bader

Released: August 13, 2023

Tables

SigninLogsAADNonInteractiveUserSignInLogs

Keywords

Devices,Intune,User,AzureADConnect,ressource,high-fidelity,maliciousactions,DirectorySyncAdmins,SigninLogs,AADNonInteractiveUserSignInLogs,AppId,ResourceDisplayName,suppressionDuration,incidentConfiguration,groupingConfiguration,reopenClosedIncident,groupByEntities,lookbackDuration,enabled,eventGroupingSettings,aggregationKind,entityMappings,CloudApplication,IP,Account,columnName,identifier,FullName,AadUserId,suppressionEnabled

Operators

whereletunionisfuzzyin~wherewherewhereand!=!=

Actions