From 892df8c04dc8335acbcd7170e1bc1fb5a9928cf2 Mon Sep 17 00:00:00 2001 From: hesaad <39443323+hesaad@users.noreply.github.com> Date: Mon, 21 Oct 2024 19:42:59 +0400 Subject: [PATCH] Adding custom KQL Identity plugin --- .../Identity/IdentitySecurityAnalyst.yml | 209 ++++++++++++++++++ .../Identity/readme.md | 23 ++ 2 files changed, 232 insertions(+) create mode 100644 Plugins/Community Based Plugins/Identity/IdentitySecurityAnalyst.yml create mode 100644 Plugins/Community Based Plugins/Identity/readme.md diff --git a/Plugins/Community Based Plugins/Identity/IdentitySecurityAnalyst.yml b/Plugins/Community Based Plugins/Identity/IdentitySecurityAnalyst.yml new file mode 100644 index 00000000..eb324c34 --- /dev/null +++ b/Plugins/Community Based Plugins/Identity/IdentitySecurityAnalyst.yml @@ -0,0 +1,209 @@ +Descriptor: + Name: IdentitySecurityAnalyst + DisplayName: Identity Security Analyst plugin + Description: > + Identity Security skills to query Identity events for detection and forensics hunting across User Risk Assessment, + Sign-in Monitoring, Admin Activity Monitoring, Application Usage Monitoring, Privileged Identity Management, Access Review + +SkillGroups: + - Format: KQL + Skills: + - Name: IdentityGetUserRiskAssesment + DisplayName: Get User Risk Assessment + Description: > + Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, + repeated failed sign-in attempts, or other suspicious behavior. + ExamplePrompt: + - "Get all risky users" + - "Fetch risky users" + - "Run users risk assessment" + - "List all risky users" + Settings: + Target: Defender + Template: |- + // Query to fetch user risk events with sign-in details + let RiskyEvents = AADUserRiskEvents + | where TimeGenerated > ago(1d) + | project UserPrincipalName, RiskLevel, RiskEventType, TimeGenerated; + let SignInAttempts = SigninLogs + | where TimeGenerated > ago(1d) // Same time filter + | summarize AttemptCount = count(), FailedAttempts = sumif(1, ResultType != 0) by UserPrincipalName, Location = tostring(LocationDetails), IPAddress, TimeGenerated; + RiskyEvents + | join kind=inner (SignInAttempts) on UserPrincipalName + | where RiskLevel != "None" // Filter out non-risky users + | project UserPrincipalName, RiskLevel, RiskEventType, AttemptCount, FailedAttempts, Location, IPAddress, TimeGenerated + | order by RiskLevel desc, TimeGenerated desc + | take 1000 + + - Name: IdentityGetSignInMonitoring + DisplayName: Get Users Sign-in Activities + Description: > + Fetches all user sign-in activities. This includes successful sign-ins, failed attempts, and the location and + device used for sign-in. Any unusual sign-in activity could be a sign of a potential security threat. + ExamplePrompt: + - "Get all sign-in activities" + - "Fetch all users sign-in activities" + - "List all users sign-in monitoring" + Settings: + Target: Defender + Template: |- + SigninLogs + | where TimeGenerated > ago(1d) // Filter for the last 1 day, adjust as necessary + | project + UserPrincipalName, + SignInStatus = iff(ResultType == 0, "Success", "Failure"), + FailureReason = iff(ResultType != 0, ResultDescription, "N/A"), + TimeGenerated, + Location = tostring(LocationDetails), + Device = tostring(DeviceDetail), + IPAddress, + ClientAppUsed, + OperatingSystem = tostring(DeviceDetail.operatingSystem), + Browser = tostring(DeviceDetail.browser) + | order by TimeGenerated desc + | take 1000 + + - Name: IdentityGetAdminActivityMonitoring + DisplayName: Get Admin Activities Monitoring + Description: > + Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. + Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls. + ExamplePrompt: + - "Get all admin activities" + - "Fetch all admin activities" + - "List all admin monitoring events" + Settings: + Target: Defender + Template: |- + AuditLogs + | where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed + | where OperationName in ( + "Add member to role", + "Remove member from role", + "Update user", + "Add application", + "Update application", + "Delete application", + "Add group", + "Update group", + "Delete group", + "Add directory role", + "Update directory role", + "Delete directory role", + "Update conditional access policy", + "Delete conditional access policy", + "Add conditional access policy", + "Update user privileges", + "Update access controls" + ) + | extend AdminPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | project + TimeGenerated, + OperationName, + AdminPrincipalName, + InitiatedByDetails = tostring(InitiatedBy.user), + TargetResources = tostring(TargetResources[0].displayName), + PrincipalNameFull = tostring(TargetResources[0].userPrincipalName), + TargetType = tostring(TargetResources[0].type), + ActivityDetails = tostring(ActivityDisplayName), + Result + | order by TimeGenerated desc + | take 1000 + + - Name: IdentityGetApplicationUsageMonitoring + DisplayName: Get Application Usage Monitoring + Description: > + Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. + Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, + could indicate a potential security issue. + ExamplePrompt: + - "Get all applications usage" + - "Fetch all applications activities" + - "List all applications usage monitoring" + Settings: + Target: Defender + Template: |- + SigninLogs + | where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed + | where AppDisplayName != "" // Only consider records with application usage + | summarize + SignInCount = count(), + UniqueUsers = dcount(UserPrincipalName), + Downloads = sumif(1, ClientAppUsed == "Browser" or ClientAppUsed == "Mobile apps and desktop clients") + by AppDisplayName, bin(TimeGenerated, 1d) // Aggregate data daily + | project + TimeGenerated, + AppDisplayName, + SignInCount, + UniqueUsers, + Downloads + | order by TimeGenerated desc + | take 1000 + + - Name: IdentityPIMMonitoring + DisplayName: Get Privileged Identity Management (PIM) Monitoring + Description: > + Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. + This includes the creation, modification, and deletion of privileged accounts. + ExamplePrompt: + - "Get all PIM activities" + - "Fetch all Privileged identities activities" + - "List all Privileged identity management monitoring events" + Settings: + Target: Defender + Template: |- + AuditLogs + | where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed + | where Category contains "PIM" or Category contains "PrivilegedIdentity" or InitiatedBy.app.displayName contains "MS-PIM" // Filter for Privileged Identity Management related activities + | where OperationName in ( + "Add member to role", + "Remove member from role", + "Update role", + "Add role assignment", + "Remove role assignment", + "Activate role", + "Deactivate role" + ) + | extend AdminPrincipalName = tostring(InitiatedBy.user.userPrincipalName) + | project + TimeGenerated, + OperationName, + AdminPrincipalName, + InitdName = tostring(InitiatedBy.app.displayName), + InitiPrinName = tostring(InitiatedBy.app.servicePrincipalName), + InitiPrinID = tostring(InitiatedBy.app.servicePrincipalId), + TargetUser = tostring(TargetResources[0].userPrincipalName), + RoleName = tostring(TargetResources[0].displayName), + ActivityDetails = tostring(ActivityDisplayName), + Result + | order by TimeGenerated desc + | take 1000 + + - Name: IdentityAccessReviewMonitoring + DisplayName: Get Access Review Monitoring + Description: > + Fetches Access Review logs to regularly review user access to various resources within your organization. + This can help ensure that users only have access to the resources they need for their job functions, + reducing the risk of insider threats. + ExamplePrompt: + - "Get all access review activities" + - "Fetch all access review activities" + - "List all access review monitoring events" + Settings: + Target: Defender + Template: |- + AuditLogs + | where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed + | where OperationName startswith "Access Review" or Category contains "Access Review" // Filter for Access Review related activities + | project + TimeGenerated, + OperationName, + InitiatedBy = tostring(InitiatedBy.user.userPrincipalName), + TargetUser = tostring(TargetResources[0].userPrincipalName), + TargetDisplayName = tostring(TargetResources[0].displayName), + TargetResourceType = tostring(TargetResources[0].type), + ActivityDetails = tostring(ActivityDisplayName), + Result, + CorrelationId + | order by TimeGenerated desc + | take 1000 \ No newline at end of file diff --git a/Plugins/Community Based Plugins/Identity/readme.md b/Plugins/Community Based Plugins/Identity/readme.md new file mode 100644 index 00000000..67e93c5f --- /dev/null +++ b/Plugins/Community Based Plugins/Identity/readme.md @@ -0,0 +1,23 @@ +# Custom Identity Security Analyst plugin for Copilot for Security + +The custom Identity Security skills to query Identity events for detection and forensics hunting across User Risk Assessment, Sign-in Monitoring, Admin Activity Monitoring, Application Usage Monitoring, Privileged Identity Management, Access Review: + +## Key Features + +### User Risk Assessment +Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior. + +### Users Sign-in activities +Fetches all user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Any unusual sign-in activity could be a sign of a potential security threat. + +### Admin activities monitoring +Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls. + +### Applications usage monitoring +Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue. + +### Privileged Identity Management (PIM) monitoring +Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts. + +### Access Review monitoring +Fetches Access Review logs to regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats. \ No newline at end of file