KQL Search

Query Details

HomeAI ToolsDevice Query

Unauthorized Actor Has Been Added Federated Credential On User Assigned Managed Identity

Query

id: 06be8a2a-4790-4c31-8945-d74ea37e8ce0
name: Unauthorized actor has been added Federated Credential on User-Assigned Managed Identitiy
version: 1.0.0
kind: Scheduled
description: Actor outside of the defined authorized users has been added a federated credential which could be used to gain persistent access by an untrusted entity. Severity of the incident will be increased to "high" if sign-in risk has been detected.
severity: Medium
queryFrequency: 1h
queryPeriod: 14d
triggerOperator: gt
triggerThreshold: 0
tactics:
- Persistence
query: |+
  let IncludeScope = dynamic(['36955ea9-c98e-4749-b603-ffefe652dd90/lab/lab-platform/lab-management/4d3e5b65-8a52-4b2f-b5cd-1670c700136b']); 
  let ExcludeActors = IdentityInfo
      | where TimeGenerated > ago(14d)
      | summarize arg_max(TimeGenerated, *) by AccountObjectId
      | where GroupMembership has "<GroupOfAzureIdentityAdministrators>"
      | project AccountObjectId;
  let ExcludeActorsWithRole = dynamic(['Owner', 'User Access Administrator', 'Subscription Admin']); 
  let FilteredRiskLevel = "";
  AzureActivity
  | where OperationNameValue =~ "MICROSOFT.MANAGEDIDENTITY/USERASSIGNEDIDENTITIES/FEDERATEDIDENTITYCREDENTIALS/WRITE" and ActivityStatusValue == "Success"
  | extend Hiearchy = parse_json(Properties).hierarchy
  | where Hiearchy in~ (IncludeScope)
  | extend CallerObjectId = Claims_d.["http://schemas.microsoft.com/identity/claims/objectidentifier"]
  | where CallerObjectId !in~ (ExcludeActors)
  | extend CallerRole = parse_json(tostring(Authorization_d.evidence)).role
  | where CallerRole !in~ (ExcludeActorsWithRole)
  | extend UniqueTokenIdentifier = tostring(parse_json(Claims).uti)
  | join kind=leftouter (union SigninLogs, AADNonInteractiveUserSignInLogs
      | summarize by UniqueTokenIdentifier, RiskLevel, RiskLevelDuringSignIn
      )
      on $left.UniqueTokenIdentifier == $right.UniqueTokenIdentifier
  | where RiskLevel in (FilteredRiskLevel) or RiskLevelDuringSignIn in (FilteredRiskLevel)
  | extend Severity = iff(RiskLevelDuringSignIn != "none", "High", "Medium")
  | project
      TimeGenerated,
      Caller,
      CallerIpAddress,
      CorrelationId,
      ResourceId = _ResourceId,
      UniqueTokenIdentifier,
      FederatedCredentialEntity = parse_json(Properties).entity,
      Hierarchy,
      RiskLevelDuringSignIn,
      Severity

suppressionEnabled: false
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: false
    reopenClosedIncident: false
    lookbackDuration: 5h
    matchingMethod: AllEntities
    groupByEntities: []
    groupByAlertDetails: []
    groupByCustomDetails: []
eventGroupingSettings:
  aggregationKind: SingleAlert
alertDetailsOverride:
  alertSeverityColumnName: Severity
  alertDynamicProperties: []
customDetails:
  Entity: FederatedCredentialEntity
  Hierarchy: Hierarchy
  RiskLevelSignIn: RiskLevelDuringSignIn
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: Caller
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: CallerIpAddress
- entityType: AzureResource
  fieldMappings:
  - identifier: ResourceId
    columnName: ResourceId
suppressionDuration: 5h

Explanation

This query is designed to detect and alert when an unauthorized actor is added as a federated credential to a user-assigned managed identity in Azure. Here's a simplified summary:

  1. Scope and Exclusions:

    • It includes specific Azure resources to monitor.
    • Excludes certain actors based on their group membership or roles (like Owner, User Access Administrator, Subscription Admin).

  2. Activity Monitoring:

    • Monitors Azure activities specifically for successful operations where federated identity credentials are written to user-assigned managed identities.

  3. Risk Assessment:

    • Checks if the actor involved in the operation is not in the excluded list.
    • Joins with sign-in logs to assess the risk level during sign-in.
    • If any sign-in risk is detected, the severity of the incident is set to "High"; otherwise, it remains "Medium".

  4. Incident Creation:

    • If any unauthorized addition is detected, an incident is created.
    • The incident includes details like the time of the event, caller information, IP address, resource ID, and risk level during sign-in.

  5. Alert Configuration:

    • Alerts are generated as single alerts without grouping.
    • Custom details and entity mappings are provided for better context in the alert.

  6. Suppression:

    • Suppression is not enabled, meaning alerts will be generated immediately without delay.

In essence, this query helps in identifying and alerting on potential unauthorized access attempts by monitoring changes to federated credentials on user-assigned managed identities, ensuring that only authorized actors are making such changes.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 2, 2024

Tables

AzureActivityIdentityInfoSigninLogsAADNonInteractiveUserSignInLogs

Keywords

DevicesUserAzureResourceAccountIP

Operators

letdynamicwheresummarizearg_maxbyhasprojectago=~andextendparse_jsonin~tostring!in~joinkindunionon==inifforproject

Actions