Query Details
UEBA Behavior Anomaly On Application Management
Query
id: d4ae2281-9c29-4ce6-b554-0c124efb14b1
name: UEBA Behavior anomaly on Application Management
version: 1.0.0
kind: Scheduled
description: |-
Anomaly detected by UEBA with investigation priority score in combination with one of the following conditions:
- Actor has no active or permanent Entra ID role assignment in the past 14 days
- Risky User with Risk Level of Medium or higher
The incident will be increased to “High” severity if the Actor has been assigned to “Control Plane” Entra ID role in the past 14 days. All other results will be set to severity “Informational” and not included in the incident creation.
severity: Medium
queryFrequency: 14d
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
query: |
// List of (active/permanent) Directory role member with with enriched classification from EntraOps Privileged EAM
// by using IdentityInfo table from Microsoft Sentinel UEBA
let SensitiveEntraDirectoryRoles = externaldata(RoleName: string, RoleId: string, isPrivileged: bool, Classification: dynamic)["https://raw.githubusercontent.com/Cloud-Architekt/AzurePrivilegedIAM/main/Classification/Classification_EntraIdDirectoryRoles.json"] with(format='multijson')
| where Classification.EAMTierLevelName != "Unclassified"
| extend EAMTierLevelName = Classification.EAMTierLevelName
| project RoleName, isPrivileged, EAMTierLevelName;
let AllUsers = IdentityInfo
| where TimeGenerated > ago(14d)
| mv-expand AssignedRoles
| extend RoleName = tostring(AssignedRoles)
| join kind=leftouter (SensitiveEntraDirectoryRoles) on RoleName
| extend EnterpriseAccessModelLevel = iff(isempty(EAMTierLevelName), "UserAccess", EAMTierLevelName)
| summarize
EnterpriseAccessModelTiering = make_set(EnterpriseAccessModelLevel),
PastRoleAssignments = make_set(RoleName),
PastRiskLevel = make_set(RiskLevel),
PastRiskState = make_set(RiskState)
by UserId = AccountObjectId, UserPrincipalName = AccountUPN, IsAccountEnabled;
BehaviorAnalytics
| where TimeGenerated > ago(1d)
| where ActivityType == "ApplicationManagement"
| join kind=inner (AllUsers) on UserPrincipalName
// Increase severity if investigation priority is larger than 1 and risk on level Medium or High has been detected by the user in the past 14 days or user has no privileged directory role in the past or
| extend Severity = iff(InvestigationPriority > 1 and (EnterpriseAccessModelTiering[0] == "UserAccess" or (PastRiskState[0] == "AtRisk" and (PastRiskLevel contains "Medium" or PastRiskLevel contains "High"))), "Low", "Informational")
// Step up severity to "High" if actor is Control Plane administrator
| extend Severity = iff(EnterpriseAccessModelTiering contains "ControlPlane" and Severity != "Informational", "Medium", Severity)
// Informational events will be filtered and not considered for incidents
| where Severity != "Informational"
| mv-expand parse_json(ActivityInsights)
| where ActivityInsights !contains "False"
| project
Severity,
TimeGenerated,
InvestigationPriority,
ActivityType,
ActionType,
ActivityInsights,
EnterpriseAccessModelTiering,
UserPrincipalName,
SourceIPAddress,
PastRoleAssignments,
PastRiskLevel,
PastRiskState,
Type
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: SingleAlert
alertDetailsOverride:
alertDisplayNameFormat: 'UEBA Behavior anomaly: {{ActivityType}} '
alertDescriptionFormat: ' {{ActionType}} with the following anomaly: {{ActivityInsights}} '
alertSeverityColumnName: Severity
alertDynamicProperties:
- alertProperty: ProductComponentName
value: Type
customDetails:
InvestigationScore: InvestigationPriority
ActivityType: ActivityType
ActionType: ActionType
ActivityInsights: ActivityInsights
UserClassification: EnterpriseAccessModelTiering
PastDirectoryRoles: PastRoleAssignments
PastUserRiskLevel: PastRiskLevel
PastRiskState: PastRiskState
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: UserPrincipalName
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIPAddress
suppressionDuration: 5h
Explanation
This query is used to detect anomalies in application management behavior using UEBA (User and Entity Behavior Analytics). It checks for two conditions:
- If the actor has no active or permanent role assignment in the past 14 days, or if the user is a risky user with a risk level of Medium or higher.
- If the actor has been assigned to the "Control Plane" role in the past 14 days, the severity of the incident is increased to "High". Otherwise, all other results are set to severity "Informational" and not included in the incident creation.
The query retrieves a list of active or permanent directory role members with enriched classification from EntraOps Privileged EAM. It then joins this data with user information from the IdentityInfo table in Microsoft Sentinel UEBA. The query also includes filtering based on specific activity types and time periods.
The incident configuration is set to create incidents and does not enable grouping. The alert details override specifies the format for the alert display name and description. Custom details are included in the incident, such as investigation score, activity type, action type, activity insights, user classification, past directory roles, past user risk level, and past risk state.
The query does not enable suppression and includes entity mappings for account and IP entities. The suppression duration is set to 5 hours.
Details
Thomas Naunheim
Released: November 12, 2023
Tables
BehaviorAnalytics
IdentityInfo
Keywords
Devices,Intune,User,IdentityInfo,BehaviorAnalytics,ActivityType,ActionType,ActivityInsights,EnterpriseAccessModelTiering,UserPrincipalName,SourceIPAddress,PastRoleAssignments,PastRiskLevel,PastRiskState,Type
Operators
wherejoinextendiffcontainsprojectsummarizemake_setbymv-expandnotfalsetruewithformatago