Forum Discussion
stianhoydal
Jun 30, 2021Copper Contributor
KQL query for brute force against users in certain AAD groups
Greetings. I am trying to figure out a way to search for brute force attacks against users that are part of certain AAD groups. So far I have found that i can utilize brute force queries already a...
- Jul 03, 2021
You could do this in a few ways, you may need to test to see what works best for you environment. The issue you are facing is that the AuditLogs table will only track changes to groups, you want to query log data (your brute force attack query) vs static data (group membership)
1. Add the users to a watchlist - https://docs.microsoft.com/en-us/azure/sentinel/watchlists
You could upload an initial csv to the watchlist that contains the userprincipalnames of the users who are in the groups you care about. In this example a watchlist called HighRiskUsers with userprincipalname as a column header. You then include being in that watchlist as part of your query -
let watchlist = (_GetWatchlist('HighRiskUsers') | project UserPrincipalName);
SigninLogs
*your brute force query here*
| where UserPrincipalName in (watchlist)
You could then use a logic app to keep that watchlist current - https://docs.microsoft.com/en-us/connectors/azuresentinel/#watchlists---update-an-existing-watchlist-item
For example, poll Azure AD/MS Graph for the membership of those groups every few hours, then have the logic app keep it current
2. You could ingest those members (and potentially the group names if useful) to a custom table in Sentinel then use a join operator in your query. You can send custom data using the ingestion API or Azure Log Analytics Data Collector logic app - https://docs.microsoft.com/en-us/connectors/azureloganalyticsdatacollector/
So again, you could poll Azure AD/MS Graph, and send the data to Sentinel as a custom log, using the same example you could call it HighRiskUsers_CL. Then when you write your hunting query you want to join on matches between your brute force query and the HighRiskUsers_CL table -
let Alert1 =
SigninLogs
<your brute force attack query>
| project UserPrincipalName
;
let HighRiskUsers =
HighRiskUsers_CL
| project UserPrincipalName, HighRiskGroupName
;
Alert1
| join kind=inner HighRiskUsers on UserPrincipalName
| project UserPrincipalName, HighRiskGroupName
m_zorich
Jul 06, 2021Iron Contributor
Anytime! Your post actually made me test it out in my tenant - https://learnsentinel.blog/2021/07/04/enrich-hunting-with-data-from-ms-graph-and-azure-ad/
stianhoydal
Jul 06, 2021Copper Contributor
m_zorich Sweet, with a guide and everything. This will make a fine addition to my collection