-
Notifications
You must be signed in to change notification settings - Fork 16
/
PasswordResetOnHighPrivilegedUser.yaml
55 lines (54 loc) · 1.68 KB
/
PasswordResetOnHighPrivilegedUser.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
id: c6c052b7-29a8-41d6-89f0-ed1e8ddebb53
name: "Password reset on high privileged user "
version: 1.0.0
kind: Scheduled
description: |-
The password of a user that is member of a high privileged role was reset.
Make sure that this action was intended
severity: Medium
queryFrequency: 3h
queryPeriod: 3h
triggerOperator: gt
triggerThreshold: 0
tactics:
- PrivilegeEscalation
query: |-
let HighPrivRoles = dynamic(["Global Administrator", "Company Administrator", "Privileged Authentication Administrator", "Privileged Role Administrator"]);
AuditLogs
| where OperationName == "Reset user password"
| mv-expand TargetResources
| extend TargetUsername = tostring(TargetResources.userPrincipalName)
| join kind=innerunique (
IdentityInfo
| where TimeGenerated > ago(14d)
)
on $left.TargetUsername == $right.AccountUPN
| mv-expand AssignedRoles
| extend AssignedRoles = tostring(AssignedRoles)
| where AssignedRoles in (HighPrivRoles)
| summarize by TimeGenerated, TargetUsername, AssignedRoles, OperationName, AADUserId=AccountObjectId
suppressionEnabled: false
incidentConfiguration:
createIncident: true
groupingConfiguration:
enabled: false
reopenClosedIncident: false
lookbackDuration: 5h
matchingMethod: AllEntities
groupByEntities: []
groupByAlertDetails: []
groupByCustomDetails: []
eventGroupingSettings:
aggregationKind: AlertPerResult
customDetails:
AssignedRole: AssignedRoles
entityMappings:
- entityType: Account
fieldMappings:
- identifier: AadUserId
columnName: AADUserId
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUsername
suppressionDuration: 5h