From 294fe33f2008b81441955ed206bbf5a2167326a8 Mon Sep 17 00:00:00 2001
From: Yaron <49263271+YaronFruchtmann@users.noreply.github.com>
Date: Tue, 27 Jul 2021 18:46:56 +0300
Subject: [PATCH] Adding new Authentication Alert (#2746)

* renaming M365Defender to comply conventions
---
 .../CustomTables/imAuthentication.json        |  4 ++
 ...SigninAttemptsByIPviaDisabledAccounts.yaml | 52 +++++++++++++++++++
 .../AuthenticationM365Defender.json}          |  0
 .../README.md                                 |  2 +-
 4 files changed, 57 insertions(+), 1 deletion(-)
 create mode 100644 Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
 rename Parsers/ASimAuthentication/ARM/{AuthenticationM365D/AuthenticationM365D.json => AuthenticationM365Defender/AuthenticationM365Defender.json} (100%)
 rename Parsers/ASimAuthentication/ARM/{AuthenticationM365D => AuthenticationM365Defender}/README.md (89%)

diff --git a/.script/tests/KqlvalidationsTests/CustomTables/imAuthentication.json b/.script/tests/KqlvalidationsTests/CustomTables/imAuthentication.json
index 4746b383b2..1c4b39b304 100644
--- a/.script/tests/KqlvalidationsTests/CustomTables/imAuthentication.json
+++ b/.script/tests/KqlvalidationsTests/CustomTables/imAuthentication.json
@@ -1,6 +1,10 @@
 {
   "Name": "imAuthentication",
   "Properties": [
+    {
+      "Name": "Type",
+      "Type": "string"
+    },
     {
       "Name": "EventProduct",
       "Type": "string"
diff --git a/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
new file mode 100644
index 0000000000..c12a3f8bf2
--- /dev/null
+++ b/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
@@ -0,0 +1,52 @@
+id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
+name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
+description: |
+  'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
+  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/AzSentinelAuthentication)'
+severity: Medium
+requiredDataConnectors: []
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+  - Persistence
+relevantTechniques:
+  - T1078
+  - T1098
+tags:
+  - Id: 500c103a-0319-4d56-8e99-3cec8d860757
+  - version: 1.0.0
+query: |
+  imAuthentication
+  | where EventResult =='Failure'
+  | where EventResultDetails == 'User disabled'
+  | summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
+        , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
+        , applicationsTargeted = dcount(TargetAppName)
+        , applicationSet = make_set(TargetAppName) 
+        by SrcDvcIpAddr, Type
+  | order by disabledAccountLoginAttempts desc
+  | join kind=leftouter 
+      (
+      // Consider these IPs suspicious - and alert any related  successful sign-ins
+      imAuthentication
+      | where EventResult=='Success'
+      | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
+      // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
+      | where successfulAccountSigninCount < 100
+      )
+      on SrcDvcIpAddr
+  | where isnotempty(successfulAccountSigninCount)
+  | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
+  successfulAccountSigninCount, successfulAccountSigninSet, Type
+  | order by disabledAccountLoginAttempts
+  | extend timestamp = StartTime, IPCustomEntity = SrcDvcIpAddr
+
+entityMappings:
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IPCustomEntity
+version: 1.0.0
diff --git a/Parsers/ASimAuthentication/ARM/AuthenticationM365D/AuthenticationM365D.json b/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/AuthenticationM365Defender.json
similarity index 100%
rename from Parsers/ASimAuthentication/ARM/AuthenticationM365D/AuthenticationM365D.json
rename to Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/AuthenticationM365Defender.json
diff --git a/Parsers/ASimAuthentication/ARM/AuthenticationM365D/README.md b/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/README.md
similarity index 89%
rename from Parsers/ASimAuthentication/ARM/AuthenticationM365D/README.md
rename to Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/README.md
index 024bd04d0b..76256aa1e5 100644
--- a/Parsers/ASimAuthentication/ARM/AuthenticationM365D/README.md
+++ b/Parsers/ASimAuthentication/ARM/AuthenticationM365Defender/README.md
@@ -12,4 +12,4 @@ For more information, see:
 <br>
  
 
-[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationM365D%2FAuthenticationM365D.json)
+[![Deploy to Azure](https://aka.ms/deploytoazurebutton)](https://portal.azure.com/#create/Microsoft.Template/uri/https%3A%2F%2Fraw.githubusercontent.com%2FAzure%2FAzure-Sentinel%2Fmaster%2FParsers%2FASimAuthentication%2FARM%2FAuthenticationM365Defender%2FAuthenticationM365Defender.json)