Query Details

Security Alerts triggered by users at risk

Security Alert Triggered By Risky User

Query

let RiskyUsers = AADRiskyUsers
     | where TimeGenerated > ago(90d)
     // Only user active risky users. If you want to look for all users that have been risky, remove the line below.
     | where RiskState in~ ('atRisk', 'confirmedCompromised')
     | distinct UserPrincipalName;
SecurityAlert
// Only get the latest status of each alert
| summarize arg_max(TimeGenerated, *) by SystemAlertId
// Filter only on RiskyUsers
| where Entities has_any (RiskyUsers)
// Collect the user from the entities
| extend
     DisplayName = extract(@',"DisplayName":"(.*?)"', 1, Entities),
     Upn = extract(@'"Upn":"(.*?)"', 1, Entities),
     UserPrincipalName = extract(@'"UserPrincipalName":"(.*?)"', 1, Entities)
// Combine the entity fields into one field
| extend User = iff(isnotempty(DisplayName), DisplayName, iff(isnotempty(Upn), Upn, iff(isnotempty(UserPrincipalName), UserPrincipalName, 'See Entities')))
| project AlertName, AlertSeverity, User, Entities

About this query

Security Alerts triggered by users at risk

Query Information

Description

This query identifies the users that are currently at risk. Based on that it performs a lookup on the security alerts that have been triggered with that user as entity. This can indicate that a useraccount has been compromised, because it has peformed risky sign in activities as well as malicious activities defined by security products or custom detection rules.

Risk

Alerts on a user at risk may indicate that the useraccount has been compromised. Investigate the useraccount in more detail and disable the user if malicious activity is confirmed.

References

Sentinel

Explanation

This query is designed to identify security alerts related to users who are currently considered at risk. Here's a simplified breakdown of what the query does:

  1. Identify Risky Users:

    • It starts by looking at a dataset called AADRiskyUsers to find users who have been flagged as risky within the last 90 days.
    • It filters these users to include only those whose risk state is either "atRisk" or "confirmedCompromised".
    • It creates a list of these users, specifically capturing their unique identifiers (UserPrincipalName).
  2. Find Related Security Alerts:

    • The query then examines a dataset of security alerts (SecurityAlert).
    • It ensures that only the most recent status of each alert is considered by summarizing the alerts based on their unique identifiers (SystemAlertId).
    • It filters these alerts to include only those that are associated with the risky users identified earlier.
  3. Extract and Present User Information:

    • For each alert, it extracts user information from the alert's entity data, trying to capture the user's display name, UPN (User Principal Name), or UserPrincipalName.
    • It combines these fields into a single user identifier for clarity.
  4. Output:

    • Finally, it presents a simplified view of the data, showing the alert name, alert severity, user information, and the entities involved in the alert.

In essence, this query helps security analysts quickly identify and investigate alerts that involve users who are potentially compromised, allowing for timely intervention and mitigation.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: November 17, 2023

Tables

AADRiskyUsersSecurityAlert

Keywords

SecurityAlertsUsersRisk

Operators

let|where>agoin~distinctsummarizearg_maxbyhas_anyextendextract@iffisnotemptyproject

Actions

GitHub