-
Notifications
You must be signed in to change notification settings - Fork 168
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Merge pull request #130 from hesaad/main
Adding custom KQL Identity plugin
- Loading branch information
Showing
2 changed files
with
232 additions
and
0 deletions.
There are no files selected for viewing
209 changes: 209 additions & 0 deletions
209
Plugins/Community Based Plugins/Identity/IdentitySecurityAnalyst.yml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,209 @@ | ||
Descriptor: | ||
Name: IdentitySecurityAnalyst | ||
DisplayName: Identity Security Analyst plugin | ||
Description: > | ||
Identity Security skills to query Identity events for detection and forensics hunting across User Risk Assessment, | ||
Sign-in Monitoring, Admin Activity Monitoring, Application Usage Monitoring, Privileged Identity Management, Access Review | ||
SkillGroups: | ||
- Format: KQL | ||
Skills: | ||
- Name: IdentityGetUserRiskAssesment | ||
DisplayName: Get User Risk Assessment | ||
Description: > | ||
Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, | ||
repeated failed sign-in attempts, or other suspicious behavior. | ||
ExamplePrompt: | ||
- "Get all risky users" | ||
- "Fetch risky users" | ||
- "Run users risk assessment" | ||
- "List all risky users" | ||
Settings: | ||
Target: Defender | ||
Template: |- | ||
// Query to fetch user risk events with sign-in details | ||
let RiskyEvents = AADUserRiskEvents | ||
| where TimeGenerated > ago(1d) | ||
| project UserPrincipalName, RiskLevel, RiskEventType, TimeGenerated; | ||
let SignInAttempts = SigninLogs | ||
| where TimeGenerated > ago(1d) // Same time filter | ||
| summarize AttemptCount = count(), FailedAttempts = sumif(1, ResultType != 0) by UserPrincipalName, Location = tostring(LocationDetails), IPAddress, TimeGenerated; | ||
RiskyEvents | ||
| join kind=inner (SignInAttempts) on UserPrincipalName | ||
| where RiskLevel != "None" // Filter out non-risky users | ||
| project UserPrincipalName, RiskLevel, RiskEventType, AttemptCount, FailedAttempts, Location, IPAddress, TimeGenerated | ||
| order by RiskLevel desc, TimeGenerated desc | ||
| take 1000 | ||
- Name: IdentityGetSignInMonitoring | ||
DisplayName: Get Users Sign-in Activities | ||
Description: > | ||
Fetches all user sign-in activities. This includes successful sign-ins, failed attempts, and the location and | ||
device used for sign-in. Any unusual sign-in activity could be a sign of a potential security threat. | ||
ExamplePrompt: | ||
- "Get all sign-in activities" | ||
- "Fetch all users sign-in activities" | ||
- "List all users sign-in monitoring" | ||
Settings: | ||
Target: Defender | ||
Template: |- | ||
SigninLogs | ||
| where TimeGenerated > ago(1d) // Filter for the last 1 day, adjust as necessary | ||
| project | ||
UserPrincipalName, | ||
SignInStatus = iff(ResultType == 0, "Success", "Failure"), | ||
FailureReason = iff(ResultType != 0, ResultDescription, "N/A"), | ||
TimeGenerated, | ||
Location = tostring(LocationDetails), | ||
Device = tostring(DeviceDetail), | ||
IPAddress, | ||
ClientAppUsed, | ||
OperatingSystem = tostring(DeviceDetail.operatingSystem), | ||
Browser = tostring(DeviceDetail.browser) | ||
| order by TimeGenerated desc | ||
| take 1000 | ||
- Name: IdentityGetAdminActivityMonitoring | ||
DisplayName: Get Admin Activities Monitoring | ||
Description: > | ||
Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. | ||
Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls. | ||
ExamplePrompt: | ||
- "Get all admin activities" | ||
- "Fetch all admin activities" | ||
- "List all admin monitoring events" | ||
Settings: | ||
Target: Defender | ||
Template: |- | ||
AuditLogs | ||
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed | ||
| where OperationName in ( | ||
"Add member to role", | ||
"Remove member from role", | ||
"Update user", | ||
"Add application", | ||
"Update application", | ||
"Delete application", | ||
"Add group", | ||
"Update group", | ||
"Delete group", | ||
"Add directory role", | ||
"Update directory role", | ||
"Delete directory role", | ||
"Update conditional access policy", | ||
"Delete conditional access policy", | ||
"Add conditional access policy", | ||
"Update user privileges", | ||
"Update access controls" | ||
) | ||
| extend AdminPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | ||
| project | ||
TimeGenerated, | ||
OperationName, | ||
AdminPrincipalName, | ||
InitiatedByDetails = tostring(InitiatedBy.user), | ||
TargetResources = tostring(TargetResources[0].displayName), | ||
PrincipalNameFull = tostring(TargetResources[0].userPrincipalName), | ||
TargetType = tostring(TargetResources[0].type), | ||
ActivityDetails = tostring(ActivityDisplayName), | ||
Result | ||
| order by TimeGenerated desc | ||
| take 1000 | ||
- Name: IdentityGetApplicationUsageMonitoring | ||
DisplayName: Get Application Usage Monitoring | ||
Description: > | ||
Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. | ||
Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, | ||
could indicate a potential security issue. | ||
ExamplePrompt: | ||
- "Get all applications usage" | ||
- "Fetch all applications activities" | ||
- "List all applications usage monitoring" | ||
Settings: | ||
Target: Defender | ||
Template: |- | ||
SigninLogs | ||
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed | ||
| where AppDisplayName != "" // Only consider records with application usage | ||
| summarize | ||
SignInCount = count(), | ||
UniqueUsers = dcount(UserPrincipalName), | ||
Downloads = sumif(1, ClientAppUsed == "Browser" or ClientAppUsed == "Mobile apps and desktop clients") | ||
by AppDisplayName, bin(TimeGenerated, 1d) // Aggregate data daily | ||
| project | ||
TimeGenerated, | ||
AppDisplayName, | ||
SignInCount, | ||
UniqueUsers, | ||
Downloads | ||
| order by TimeGenerated desc | ||
| take 1000 | ||
- Name: IdentityPIMMonitoring | ||
DisplayName: Get Privileged Identity Management (PIM) Monitoring | ||
Description: > | ||
Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. | ||
This includes the creation, modification, and deletion of privileged accounts. | ||
ExamplePrompt: | ||
- "Get all PIM activities" | ||
- "Fetch all Privileged identities activities" | ||
- "List all Privileged identity management monitoring events" | ||
Settings: | ||
Target: Defender | ||
Template: |- | ||
AuditLogs | ||
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed | ||
| where Category contains "PIM" or Category contains "PrivilegedIdentity" or InitiatedBy.app.displayName contains "MS-PIM" // Filter for Privileged Identity Management related activities | ||
| where OperationName in ( | ||
"Add member to role", | ||
"Remove member from role", | ||
"Update role", | ||
"Add role assignment", | ||
"Remove role assignment", | ||
"Activate role", | ||
"Deactivate role" | ||
) | ||
| extend AdminPrincipalName = tostring(InitiatedBy.user.userPrincipalName) | ||
| project | ||
TimeGenerated, | ||
OperationName, | ||
AdminPrincipalName, | ||
InitdName = tostring(InitiatedBy.app.displayName), | ||
InitiPrinName = tostring(InitiatedBy.app.servicePrincipalName), | ||
InitiPrinID = tostring(InitiatedBy.app.servicePrincipalId), | ||
TargetUser = tostring(TargetResources[0].userPrincipalName), | ||
RoleName = tostring(TargetResources[0].displayName), | ||
ActivityDetails = tostring(ActivityDisplayName), | ||
Result | ||
| order by TimeGenerated desc | ||
| take 1000 | ||
- Name: IdentityAccessReviewMonitoring | ||
DisplayName: Get Access Review Monitoring | ||
Description: > | ||
Fetches Access Review logs to regularly review user access to various resources within your organization. | ||
This can help ensure that users only have access to the resources they need for their job functions, | ||
reducing the risk of insider threats. | ||
ExamplePrompt: | ||
- "Get all access review activities" | ||
- "Fetch all access review activities" | ||
- "List all access review monitoring events" | ||
Settings: | ||
Target: Defender | ||
Template: |- | ||
AuditLogs | ||
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed | ||
| where OperationName startswith "Access Review" or Category contains "Access Review" // Filter for Access Review related activities | ||
| project | ||
TimeGenerated, | ||
OperationName, | ||
InitiatedBy = tostring(InitiatedBy.user.userPrincipalName), | ||
TargetUser = tostring(TargetResources[0].userPrincipalName), | ||
TargetDisplayName = tostring(TargetResources[0].displayName), | ||
TargetResourceType = tostring(TargetResources[0].type), | ||
ActivityDetails = tostring(ActivityDisplayName), | ||
Result, | ||
CorrelationId | ||
| order by TimeGenerated desc | ||
| take 1000 |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,23 @@ | ||
# Custom Identity Security Analyst plugin for Copilot for Security | ||
|
||
The custom Identity Security skills to query Identity events for detection and forensics hunting across User Risk Assessment, Sign-in Monitoring, Admin Activity Monitoring, Application Usage Monitoring, Privileged Identity Management, Access Review: | ||
|
||
## Key Features | ||
|
||
### User Risk Assessment | ||
Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior. | ||
|
||
### Users Sign-in activities | ||
Fetches all user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Any unusual sign-in activity could be a sign of a potential security threat. | ||
|
||
### Admin activities monitoring | ||
Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls. | ||
|
||
### Applications usage monitoring | ||
Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue. | ||
|
||
### Privileged Identity Management (PIM) monitoring | ||
Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts. | ||
|
||
### Access Review monitoring | ||
Fetches Access Review logs to regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats. |