Merge pull request #10249 from Azure/shainw-MannyUpdates-slice4

Adding Manny's changes into smaller PRs Slice 4
Azure · Apr 5, 2024 · cc81109 · cc81109
2 parents dc852fa + 83f9c8d
commit cc81109
Show file tree

Hide file tree

Showing 10 changed files with 222 additions and 69 deletions.
diff --git a/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml b/Solutions/Microsoft Entra ID Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml
@@ -83,15 +83,21 @@ query: |
     | join kind=inner Alert_AtypicalTravels on UserAccount
     | where abs(datetime_diff('minute', Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) <= TimeDeltaInMinutes
     | extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time
-    | project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName
+    | project UserAccount, AadUserId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName
     | extend UserEmailName = split(UserAccount,'@')[0], UPNSuffix = split(UserAccount,'@')[1]
 entityMappings:
   - entityType: Account
     fieldMappings:
-      - identifier: UPNSuffix
-        columnName: UPNSuffix
+      - identifier: FullName
+        columnName: UserAccount
       - identifier: Name
         columnName: UserEmailName
+      - identifier: UPNSuffix
+        columnName: UPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: AadUserId
   - entityType: IP
     fieldMappings:
       - identifier: Address
@@ -112,5 +118,5 @@ customDetails:
     PreviousLocation: PreviousLocation
     CurrentIPAddress: CurrentIPAddress
     PreviousIPAddress: PreviousIPAddress
-version: 1.0.7
+version: 1.0.8
 kind: Scheduled
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/ADFSDomainTrustMods.yaml
@@ -52,19 +52,35 @@ query: |
         | extend UserAgent = tostring(AdditionalDetail.value)
     )
   | extend InitiatingUserOrApp = iff(isnotempty(InitiatedBy.user.userPrincipalName),tostring(InitiatedBy.user.userPrincipalName), tostring(InitiatedBy.app.displayName))
-  | extend InitiatingIpAddress = iff(isnotempty(InitiatedBy.user.ipAddress), tostring(InitiatedBy.user.ipAddress), tostring(InitiatedBy.app.ipAddress))
+  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
+  | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
+  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
+  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
+  | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
+  | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
   | project-reorder TimeGenerated, OperationName, InitiatingUserOrApp, AADOperationType, targetDisplayName, Result, InitiatingIpAddress, UserAgent, CorrelationId, TenantId, AADTenantId
-  | extend timestamp = TimeGenerated, Name = tostring(split(InitiatingUserOrApp,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUserOrApp,'@',1)[0])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
-        columnName: Name
+        columnName: InitiatingAppName
+      - identifier: AadUserId
+        columnName: InitiatingAppServicePrincipalId
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: InitiatingUserPrincipalName
+      - identifier: Name
+        columnName: InitiatingAccountName
       - identifier: UPNSuffix
-        columnName: UPNSuffix
+        columnName: InitiatingAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: InitiatingAadUserId
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: InitiatingIpAddress
-version: 1.0.1
+        columnName: InitiatingIPAddress
+version: 1.1.0
 kind: Scheduled
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedDeletedByNonApprovedUser.yaml
@@ -20,27 +20,42 @@ relevantTechniques:
 tags:
   - AADSecOpsGuide
 query: |
-  // Add non-approved user principal names to the list below to search for their account creation/deletion activity
+  // Add non-approved user principal names or apps to the list below to search for their account creation/deletion activity
   // ex: dynamic(["UPN1", "upn123"])
   let nonapproved_users = dynamic([]);
+  let nonapproved_apps = dynamic([]);
   AuditLogs
   | where OperationName =~ "Add user" or OperationName =~ "Delete user"
   | where Result =~ "success"
-  | extend InitiatingUser = tostring(InitiatedBy.user.userPrincipalName)
-  | where InitiatingUser has_any (nonapproved_users)
-  | project-reorder TimeGenerated, ResourceId, OperationName, InitiatingUser, TargetResources
-  | extend InitiatedUserIpAddress = tostring(InitiatedBy.user.ipAddress)
-  | extend Name = tostring(split(InitiatingUser,'@',0)[0]), UPNSuffix = tostring(split(InitiatingUser,'@',1)[0])
+  | extend InitiatingAppName = tostring(InitiatedBy.app.displayName)
+  | extend InitiatingAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId)
+  | extend InitiatingUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
+  | extend InitiatingAadUserId = tostring(InitiatedBy.user.id)
+  | extend InitiatingIpAddress = tostring(iff(isnotempty(InitiatedBy.user.ipAddress), InitiatedBy.user.ipAddress, InitiatedBy.app.ipAddress))
+  | where InitiatingUserPrincipalName has_any (nonapproved_users) or InitiatingAppName has_any (nonapproved_apps)
+  | extend InitiatingAccountName = tostring(split(InitiatingUserPrincipalName, "@")[0]), InitiatingAccountUPNSuffix = tostring(split(InitiatingUserPrincipalName, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
-        columnName: Name
+        columnName: InitiatingAppName
+      - identifier: AadUserId
+        columnName: InitiatingAppServicePrincipalId
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: InitiatingUserPrincipalName
+      - identifier: Name
+        columnName: InitiatingAccountName
       - identifier: UPNSuffix
-        columnName: UPNSuffix
+        columnName: InitiatingAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: InitiatingAadUserId
   - entityType: IP
     fieldMappings:
       - identifier: Address
-        columnName: InitiatedUserIpAddress
-version: 1.0.2
+        columnName: InitiatingIPAddress
+version: 1.1.0
 kind: Scheduled
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AccountCreatedandDeletedinShortTimeframe.yaml
@@ -25,42 +25,81 @@ query: |
   AuditLogs
   | where TimeGenerated > ago(queryfrequency)
   | where OperationName =~ "Delete user"
-  //extend UserPrincipalName = tostring(TargetResources[0].userPrincipalName)
   | mv-apply TargetResource = TargetResources on 
     (
         where TargetResource.type == "User"
-        | extend UserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))
+        | extend TargetUserPrincipalName = extract(@'([a-f0-9]{32})?(.*)', 2, tostring(TargetResource.userPrincipalName))
     )
-  | extend DeletedByUser = tostring(InitiatedBy.user.userPrincipalName), DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)
-  | extend DeletedByApp = tostring(InitiatedBy.app.displayName)
-  | project Deletion_TimeGenerated = TimeGenerated, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources
+  | extend DeletedByApp = tostring(InitiatedBy.app.displayName),
+  DeletedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),
+  DeletedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName),
+  DeletedByAadUserId = tostring(InitiatedBy.user.id),
+  DeletedByIPAddress = tostring(InitiatedBy.user.ipAddress)
+  | project Deletion_TimeGenerated = TimeGenerated, TargetUserPrincipalName, DeletedByApp, DeletedByAppServicePrincipalId, DeletedByUserPrincipalName, DeletedByAadUserId, DeletedByIPAddress, 
+  Deletion_AdditionalDetails = AdditionalDetails, Deletion_InitiatedBy = InitiatedBy, Deletion_TargetResources = TargetResources
   | join kind=inner (
       AuditLogs
       | where TimeGenerated > ago(queryperiod)
       | where OperationName =~ "Add user"      
       | mv-apply TargetResource = TargetResources on 
         (
             where TargetResource.type == "User"
-            | extend UserPrincipalName = trim(@'"',tostring(TargetResource.userPrincipalName))
+            | extend TargetUserPrincipalName = trim(@'"',tostring(TargetResource.userPrincipalName))
         )
       | project-rename Creation_TimeGenerated = TimeGenerated
-  ) on UserPrincipalName
+  ) on TargetUserPrincipalName
   | extend TimeDelta = Deletion_TimeGenerated - Creation_TimeGenerated
   | where  TimeDelta between (time(0s) .. queryperiod)
-  | extend CreatedByUser = tostring(InitiatedBy.user.userPrincipalName), CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
-  | extend CreatedByApp = tostring(InitiatedBy.app.displayName)
-  | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, UserPrincipalName, DeletedByUser, DeletedByIPAddress, DeletedByApp, CreatedByUser, CreatedByIPAddress, CreatedByApp, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources
-  | extend timestamp = Deletion_TimeGenerated, Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
+  | extend CreatedByApp = tostring(InitiatedBy.app.displayName),
+  CreatedByAppServicePrincipalId = tostring(InitiatedBy.app.servicePrincipalId),
+  CreatedByUserPrincipalName = tostring(InitiatedBy.user.userPrincipalName),
+  CreatedByAadUserId = tostring(InitiatedBy.user.id),
+  CreatedByIPAddress = tostring(InitiatedBy.user.ipAddress)
+  | project Creation_TimeGenerated, Deletion_TimeGenerated, TimeDelta, TargetUserPrincipalName, DeletedByApp, DeletedByAppServicePrincipalId, DeletedByUserPrincipalName, DeletedByAadUserId, DeletedByIPAddress, 
+  CreatedByApp, CreatedByAppServicePrincipalId, CreatedByUserPrincipalName, CreatedByAadUserId, CreatedByIPAddress, Creation_AdditionalDetails = AdditionalDetails, Creation_InitiatedBy = InitiatedBy, Creation_TargetResources = TargetResources, Deletion_AdditionalDetails, Deletion_InitiatedBy, Deletion_TargetResources
+  | extend TargetName = tostring(split(TargetUserPrincipalName,'@',0)[0]), TargetUPNSuffix = tostring(split(TargetUserPrincipalName,'@',1)[0])
+  | extend CreatedByName = tostring(split(CreatedByUserPrincipalName,'@',0)[0]), CreatedByUPNSuffix = tostring(split(CreatedByUserPrincipalName,'@',1)[0])
+  | extend DeletedByName = tostring(split(DeletedByUserPrincipalName,'@',0)[0]), DeletedByUPNSuffix = tostring(split(DeletedByUserPrincipalName,'@',1)[0])
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: TargetUserPrincipalName
       - identifier: Name
-        columnName: Name
+        columnName: TargetName
       - identifier: UPNSuffix
-        columnName: UPNSuffix
+        columnName: TargetUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: CreatedByUserPrincipalName
+      - identifier: Name
+        columnName: CreatedByName
+      - identifier: UPNSuffix
+        columnName: CreatedByUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: CreatedByAadUserId
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: DeletedByUserPrincipalName
+      - identifier: Name
+        columnName: DeletedByName
+      - identifier: UPNSuffix
+        columnName: DeletedByUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: DeletedByAadUserId
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: CreatedByIPAddress
   - entityType: IP
     fieldMappings:
       - identifier: Address
         columnName: DeletedByIPAddress
-version: 1.0.3
+version: 1.1.0
 kind: Scheduled
diff --git a/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml b/Solutions/Microsoft Entra ID/Analytic Rules/AdminPromoAfterRoleMgmtAppPermissionGrant.yaml
@@ -80,17 +80,54 @@ query: |
   | extend
       TargetName = tostring(split(Target, "@")[0]),
       TargetUPNSuffix = tostring(split(Target, "@")[1])
-  | project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId
+  | project PermissionGrant_TimeGenerated, PermissionGrant_OperationName, PermissionGrant_Result, PermissionGrant, AppDisplayName, AppServicePrincipalId, PermissionGrant_InitiatedBy, PermissionGrant_TargetResources, PermissionGrant_AdditionalDetails, PermissionGrant_CorrelationId, 
+  RoleAssignment_TimeGenerated, RoleAssignment_OperationName, RoleAssignment_Result, RoleAssignment, TargetType, Target, TargetName, TargetUPNSuffix, TargetId, RoleAssignment_InitiatedBy, RoleAssignment_TargetResources, RoleAssignment_AdditionalDetails, RoleAssignment_CorrelationId
+  | extend PermissionGrant_InitiatingUserPrincipalName = tostring(PermissionGrant_InitiatedBy.user.userPrincipalName)
+  | extend PermissionGrant_InitiatingAadUserId = tostring(PermissionGrant_InitiatedBy.user.id)
+  | extend PermissionGrant_InitiatingIpAddress = tostring(iff(isnotempty(PermissionGrant_InitiatedBy.user.ipAddress), PermissionGrant_InitiatedBy.user.ipAddress, PermissionGrant_InitiatedBy.app.ipAddress))
+  | extend PermissionGrant_InitiatingAccountName = tostring(split(PermissionGrant_InitiatingUserPrincipalName, "@")[0]), PermissionGrant_InitiatingAccountUPNSuffix = tostring(split(PermissionGrant_InitiatingUserPrincipalName, "@")[1])
+  | extend RoleAssignment_InitiatingUserPrincipalName = tostring(RoleAssignment_InitiatedBy.user.userPrincipalName)
+  | extend RoleAssignment_InitiatingAadUserId = tostring(RoleAssignment_InitiatedBy.user.id)
+  | extend RoleAssignment_InitiatingIpAddress = tostring(iff(isnotempty(RoleAssignment_InitiatedBy.user.ipAddress), RoleAssignment_InitiatedBy.user.ipAddress, RoleAssignment_InitiatedBy.app.ipAddress))
+  | extend RoleAssignment_InitiatingAccountName = tostring(split(RoleAssignment_InitiatingUserPrincipalName, "@")[0]),  RoleAssignment_InitiatingAccountUPNSuffix = tostring(split(RoleAssignment_InitiatingUserPrincipalName, "@")[1])
 entityMappings:
   - entityType: Account
     fieldMappings:
       - identifier: Name
         columnName: AppDisplayName
+      - identifier: AadUserId
+        columnName: AppServicePrincipalId
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: Target
       - identifier: Name
         columnName: TargetName
       - identifier: UPNSuffix
         columnName: TargetUPNSuffix
-version: 1.0.4
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: PermissionGrant_InitiatingUserPrincipalName
+      - identifier: Name
+        columnName: PermissionGrant_InitiatingAccountName
+      - identifier: UPNSuffix
+        columnName: PermissionGrant_InitiatingAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: PermissionGrant_InitiatingAadUserId
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: RoleAssignment_InitiatingUserPrincipalName
+      - identifier: Name
+        columnName: RoleAssignment_InitiatingAccountName
+      - identifier: UPNSuffix
+        columnName: RoleAssignment_InitiatingAccountUPNSuffix
+  - entityType: Account
+    fieldMappings:
+      - identifier: AadUserId
+        columnName: RoleAssignment_InitiatingAadUserId
+version: 1.1.0
 kind: Scheduled
diff --git a/...s/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml b/...s/Microsoft Entra ID/Analytic Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml
@@ -44,10 +44,14 @@ query: |
 entityMappings:
   - entityType: Account
     fieldMappings:
+      - identifier: FullName
+        columnName: UserPrincipalName
       - identifier: Name
         columnName: Name
       - identifier: UPNSuffix
         columnName: UPNSuffix
+  - entityType: Account
+    fieldMappings:
       - identifier: AadUserId
         columnName: UserId   
 eventGroupingSettings:
@@ -60,5 +64,5 @@ alertDetailsOverride:
     This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an
     individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} 
     different locations.
-version: 2.0.2
+version: 2.0.3
 kind: Scheduled