Forum Discussion

stianhoydal's avatar
stianhoydal
Copper Contributor
Jun 30, 2021
Solved

KQL query for brute force against users in certain AAD groups

Greetings.  I am trying to figure out a way to search for brute force attacks against users that are part of certain AAD groups. So far I have found that i can utilize brute force queries already a...
  • m_zorich's avatar
    m_zorich
    Jul 03, 2021

    You could do this in a few ways, you may need to test to see what works best for you environment. The issue you are facing is that the AuditLogs table will only track changes to groups, you want to query log data (your brute force attack query) vs static data (group membership)

    1. Add the users to a watchlist - https://docs.microsoft.com/en-us/azure/sentinel/watchlists

    You could upload an initial csv to the watchlist that contains the userprincipalnames of the users who are in the groups you care about. In this example a watchlist called HighRiskUsers with userprincipalname as a column header. You then include being in that watchlist as part of your query -

    let watchlist = (_GetWatchlist('HighRiskUsers') | project UserPrincipalName);
    SigninLogs
    *your brute force query here*
    | where UserPrincipalName in (watchlist)

    You could then use a logic app to keep that watchlist current - https://docs.microsoft.com/en-us/connectors/azuresentinel/#watchlists---update-an-existing-watchlist-item

    For example, poll Azure AD/MS Graph for the membership of those groups every few hours, then have the logic app keep it current

    2. You could ingest those members (and potentially the group names if useful) to a custom table in Sentinel then use a join operator in your query. You can send custom data using the ingestion API or Azure Log Analytics Data Collector logic app - https://docs.microsoft.com/en-us/connectors/azureloganalyticsdatacollector/

    So again, you could poll Azure AD/MS Graph, and send the data to Sentinel as a custom log, using the same example you could call it HighRiskUsers_CL. Then when you write your hunting query you want to join on matches between your brute force query and the HighRiskUsers_CL table -

    let Alert1 =
    SigninLogs
    <your brute force attack query>
    | project UserPrincipalName
    ;
    let HighRiskUsers =
    HighRiskUsers_CL
    | project UserPrincipalName, HighRiskGroupName
    ;
    Alert1
    | join kind=inner HighRiskUsers on UserPrincipalName
    | project UserPrincipalName, HighRiskGroupName

stianhoydal's avatar
stianhoydal
Copper Contributor
Jul 06, 2021

m_zorich Sweet, with a guide and everything. This will make a fine addition to my collection :lol:

Resources