Azure Active Directory High Risk Sign-in

Try in Splunk Security Cloud

Description

The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.

• Type: TTP
• Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
• Datamodel: Risk
• Last Updated: 2023-12-20
• Author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
• ID: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea

Annotations

ATT&CK

ATT&CK

ID	Technique	Tactic
T1586	Compromise Accounts	Resource Development

T1586.003

Cloud Accounts

Resource Development

T1110

Brute Force

Credential Access

T1110.003

Password Spraying

Credential Access

Kill Chain Phase

• Weaponization
• Exploitation

NIST

• DE.CM

CIS20

• CIS 10

CVE

Search

 `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_active_directory_high_risk_sign_in_filter`

Macros

The SPL above uses the following Macros:

• azure_monitor_aad
• security_content_ctime

azure_active_directory_high_risk_sign-in_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

• _time
• category
• properties.riskLevel
• user
• src_ip
• properties.activity
• properties.riskEventType
• properties.additionalInfo

How To Implement

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype.

Known False Positives

Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.

Associated Analytic Story

• Azure Active Directory Account Takeover

RBA

Risk Score	Impact	Confidence	Message
54.0	60	90	A high risk event was identified by Identify Protection for user $user$

The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.

Reference

• https://attack.mitre.org/techniques/T1110/003/
• https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
• https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
• https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks

Test Dataset

Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2