Azure Active Directory High Risk Sign-in
Description
The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.
- Type: TTP
- Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Datamodel: Risk
- Last Updated: 2023-12-20
- Author: Mauricio Velazco, Gowthamaraj Rajendran, Splunk
- ID: 1ecff169-26d7-4161-9a7b-2ac4c8e61bea
Annotations
ATT&CK
Kill Chain Phase
- Weaponization
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_active_directory_high_risk_sign_in_filter`
Macros
The SPL above uses the following Macros:
azure_active_directory_high_risk_sign-in_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- category
- properties.riskLevel
- user
- src_ip
- properties.activity
- properties.riskEventType
- properties.additionalInfo
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype.
Known False Positives
Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
54.0 | 60 | 90 | A high risk event was identified by Identify Protection for user $user$ |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1110/003/
- https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray
- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection
- https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 2