KQL Search

Query Details

HomeAI ToolsDevice Query

Update Of Authentication Methods Policy

Query

id: 43710714-5c4a-41e8-a87d-24492ad70c23
name: Update of Authentication Methods Policy
description: |
  'Identifies when Authentication Methods Policy was updated.'
severity: Informational
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AuditLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
  - CredentialAccess
  - InitialAccess
relevantTechniques:
  - T1110
  - T1078
query: |
  AuditLogs
  | where OperationName == "Authentication Methods Policy Update" and LoggedByService == "Authentication Methods"
  | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
  | extend timestamp = TimeGenerated, AccountCustomEntity = InitiatingUserOrApp, IPCustomEntity = InitiatingIpAddress
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
  - entityType: IP
    fieldMappings:
      - identifier: Address
        columnName: IPCustomEntity
version: 1.0.1
kind: Scheduled

Explanation

This query is designed to identify when the Authentication Methods Policy has been updated. It looks for audit logs in the Azure Active Directory connector where the OperationName is "Authentication Methods Policy Update" and the LoggedByService is "Authentication Methods". It then extracts information about the user or app that initiated the update, including their user principal name or display name and their IP address. The query also maps the extracted information to the Account and IP entities for further analysis. The query runs once a day and looks at data from the past day. The severity of this query is informational, and it is relevant to the CredentialAccess and InitialAccess tactics, as well as the T1110 and T1078 techniques.

Details

Thomas Naunheim profile picture

Thomas Naunheim

Released: August 23, 2023

Tables

AuditLogs

Keywords

AuditLogs,OperationName,LoggedByService,InitiatingUserOrApp,InitiatingIpAddress,TimeGenerated,AccountCustomEntity,IPCustomEntity,FullName,Address

Operators

|==andisnotemptytostringiffextendwhere

Actions