Query Details
Sentinel UEBA Privilege Escalation Detection
Query
// Sentinel UEBA Privilege Escalation Detection // Here is a list of interesting privilege escalation articles I read over the past weeks and my thoughts on potential solution to monitor all these escalations: // UnOAuthorized: Privilege Elevation Through Microsoft Applications // https://www.semperis.com/blog/unoauthorized-privilege-elevation-through-microsoft-applications/ // Abusing PIM-related application permissions in Microsoft Graph - Part 1 // https://www.emiliensocchi.io/abusing-pim-related-application-permissions-in-microsoft-graph-part-1/ // Abusing PIM-related application permissions in Microsoft Graph - Part 2 https://www.emiliensocchi.io/abusing-pim-related-application-permissions-in-microsoft-graph-part-2/ // Abusing PIM-related application permissions in Microsoft Graph - Part 3 // https://www.emiliensocchi.io/abusing-pim-related-application-permissions-in-microsoft-graph-part-3/ // Sentinel UEBA Detection: Anomalies | where TimeGenerated > ago(1h) | where RuleName == "UEBA Anomalous Privilege Granted" | where ActivityInsights.ActionUncommonlyPerformedInTenant == "True" // #Sentinel #UEBA #PrivilegeEscalation
Explanation
This query is designed to detect potential privilege escalation activities in Microsoft Sentinel using User and Entity Behavior Analytics (UEBA). Here's a simple summary:
- Context: The query is inspired by various articles discussing privilege escalation through Microsoft applications and permissions.
- Objective: To monitor and detect unusual privilege grants within the last hour.
- Query Breakdown:
- Anomalies: The dataset being queried.
- Time Filter: Only considers events generated in the past hour.
- Rule Filter: Focuses on events labeled as "UEBA Anomalous Privilege Granted".
- Action Filter: Further narrows down to actions that are uncommon within the tenant.
In essence, this query helps identify suspicious privilege escalation activities by looking for unusual privilege grants that have occurred recently.
Details
Steven Lim
Released: August 13, 2024
Tables
Anomalies
Keywords
SentinelUEBAPrivilegeEscalationAnomaliesTimeGeneratedRuleNameActivityInsightsActionUncommonlyPerformedInTenant
Operators
ago>==