Adding new Authentication Alert (#2746)

* renaming M365Defender to comply conventions
2021-07-27 18:46:56 +03:00 · 2021-07-27 18:46:56 +03:00 · 294fe33f20
--- a/.script/tests/KqlvalidationsTests/CustomTables/imAuthentication.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/imAuthentication.json
@ -1,6 +1,10 @@
 {
  "Name": "imAuthentication",
  "Properties": [
+    {
+      "Name": "Type",
+      "Type": "string"
+    },
    {
      "Name": "EventProduct",
      "Type": "string"
--- a/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
+++ b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
@ -0,0 +1,52 @@
+id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
+name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
+description: |
+  'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
+  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)'
+severity: Medium
+requiredDataConnectors: []
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - Persistence
+relevantTechniques:
+  - T1078
+  - T1098
+tags:
+  - Id: 500c103a-0319-4d56-8e99-3cec8d860757
+  - version: 1.0.0
+query: |
+  imAuthentication
+  | where EventResult =='Failure'
+  | where EventResultDetails == 'User disabled'
+  | summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
+        , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
+        , applicationsTargeted = dcount(TargetAppName)
+        , applicationSet = make_set(TargetAppName) 
+        by SrcDvcIpAddr, Type
+  | order by disabledAccountLoginAttempts desc
+  | join kind=leftouter 
+      (
+      // Consider these IPs suspicious - and alert any related  successful sign-ins
+      imAuthentication
+      | where EventResult=='Success'
+      | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
+      // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
+      | where successfulAccountSigninCount < 100
+      )
+      on SrcDvcIpAddr
+  | where isnotempty(successfulAccountSigninCount)
+  | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
+  successfulAccountSigninCount, successfulAccountSigninSet, Type
+  | order by disabledAccountLoginAttempts
+  | extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr
+
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
--- a/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/AuthenticationM365Defender.json
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/AuthenticationM365Defender.json
--- a/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/README.md
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/README.md
@ -12,4 +12,4 @@ For more information, see:
 <br>
 

-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationM365D%2FAuthenticationM365D.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationM365Defender%2FAuthenticationM365Defender.json)