Skip to content

Commit

Permalink
Merge pull request #130 from hesaad/main
Browse files Browse the repository at this point in the history 
Adding custom KQL Identity plugin
  • Loading branch information
@KwachSean
KwachSean authored Oct 22, 2024
2 parents 6a0df6b + 892df8c commit b5a987d
Show file tree
Hide file tree
Showing 2 changed files with 232 additions and 0 deletions.
209 changes: 209 additions & 0 deletions Plugins/Community Based Plugins/Identity/IdentitySecurityAnalyst.yml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,209 @@
Descriptor:
Name: IdentitySecurityAnalyst
DisplayName: Identity Security Analyst plugin
Description: >
Identity Security skills to query Identity events for detection and forensics hunting across User Risk Assessment,
Sign-in Monitoring, Admin Activity Monitoring, Application Usage Monitoring, Privileged Identity Management, Access Review
SkillGroups:
- Format: KQL
Skills:
- Name: IdentityGetUserRiskAssesment
DisplayName: Get User Risk Assessment
Description: >
Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations,
repeated failed sign-in attempts, or other suspicious behavior.
ExamplePrompt:
- "Get all risky users"
- "Fetch risky users"
- "Run users risk assessment"
- "List all risky users"
Settings:
Target: Defender
Template: |-
// Query to fetch user risk events with sign-in details
let RiskyEvents = AADUserRiskEvents
| where TimeGenerated > ago(1d)
| project UserPrincipalName, RiskLevel, RiskEventType, TimeGenerated;
let SignInAttempts = SigninLogs
| where TimeGenerated > ago(1d) // Same time filter
| summarize AttemptCount = count(), FailedAttempts = sumif(1, ResultType != 0) by UserPrincipalName, Location = tostring(LocationDetails), IPAddress, TimeGenerated;
RiskyEvents
| join kind=inner (SignInAttempts) on UserPrincipalName
| where RiskLevel != "None" // Filter out non-risky users
| project UserPrincipalName, RiskLevel, RiskEventType, AttemptCount, FailedAttempts, Location, IPAddress, TimeGenerated
| order by RiskLevel desc, TimeGenerated desc
| take 1000
- Name: IdentityGetSignInMonitoring
DisplayName: Get Users Sign-in Activities
Description: >
Fetches all user sign-in activities. This includes successful sign-ins, failed attempts, and the location and
device used for sign-in. Any unusual sign-in activity could be a sign of a potential security threat.
ExamplePrompt:
- "Get all sign-in activities"
- "Fetch all users sign-in activities"
- "List all users sign-in monitoring"
Settings:
Target: Defender
Template: |-
SigninLogs
| where TimeGenerated > ago(1d) // Filter for the last 1 day, adjust as necessary
| project
UserPrincipalName,
SignInStatus = iff(ResultType == 0, "Success", "Failure"),
FailureReason = iff(ResultType != 0, ResultDescription, "N/A"),
TimeGenerated,
Location = tostring(LocationDetails),
Device = tostring(DeviceDetail),
IPAddress,
ClientAppUsed,
OperatingSystem = tostring(DeviceDetail.operatingSystem),
Browser = tostring(DeviceDetail.browser)
| order by TimeGenerated desc
| take 1000
- Name: IdentityGetAdminActivityMonitoring
DisplayName: Get Admin Activities Monitoring
Description: >
Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers.
Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls.
ExamplePrompt:
- "Get all admin activities"
- "Fetch all admin activities"
- "List all admin monitoring events"
Settings:
Target: Defender
Template: |-
AuditLogs
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed
| where OperationName in (
"Add member to role",
"Remove member from role",
"Update user",
"Add application",
"Update application",
"Delete application",
"Add group",
"Update group",
"Delete group",
"Add directory role",
"Update directory role",
"Delete directory role",
"Update conditional access policy",
"Delete conditional access policy",
"Add conditional access policy",
"Update user privileges",
"Update access controls"
)
| extend AdminPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| project
TimeGenerated,
OperationName,
AdminPrincipalName,
InitiatedByDetails = tostring(InitiatedBy.user),
TargetResources = tostring(TargetResources[0].displayName),
PrincipalNameFull = tostring(TargetResources[0].userPrincipalName),
TargetType = tostring(TargetResources[0].type),
ActivityDetails = tostring(ActivityDisplayName),
Result
| order by TimeGenerated desc
| take 1000
- Name: IdentityGetApplicationUsageMonitoring
DisplayName: Get Application Usage Monitoring
Description: >
Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization.
Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours,
could indicate a potential security issue.
ExamplePrompt:
- "Get all applications usage"
- "Fetch all applications activities"
- "List all applications usage monitoring"
Settings:
Target: Defender
Template: |-
SigninLogs
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed
| where AppDisplayName != "" // Only consider records with application usage
| summarize
SignInCount = count(),
UniqueUsers = dcount(UserPrincipalName),
Downloads = sumif(1, ClientAppUsed == "Browser" or ClientAppUsed == "Mobile apps and desktop clients")
by AppDisplayName, bin(TimeGenerated, 1d) // Aggregate data daily
| project
TimeGenerated,
AppDisplayName,
SignInCount,
UniqueUsers,
Downloads
| order by TimeGenerated desc
| take 1000
- Name: IdentityPIMMonitoring
DisplayName: Get Privileged Identity Management (PIM) Monitoring
Description: >
Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization.
This includes the creation, modification, and deletion of privileged accounts.
ExamplePrompt:
- "Get all PIM activities"
- "Fetch all Privileged identities activities"
- "List all Privileged identity management monitoring events"
Settings:
Target: Defender
Template: |-
AuditLogs
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed
| where Category contains "PIM" or Category contains "PrivilegedIdentity" or InitiatedBy.app.displayName contains "MS-PIM" // Filter for Privileged Identity Management related activities
| where OperationName in (
"Add member to role",
"Remove member from role",
"Update role",
"Add role assignment",
"Remove role assignment",
"Activate role",
"Deactivate role"
)
| extend AdminPrincipalName = tostring(InitiatedBy.user.userPrincipalName)
| project
TimeGenerated,
OperationName,
AdminPrincipalName,
InitdName = tostring(InitiatedBy.app.displayName),
InitiPrinName = tostring(InitiatedBy.app.servicePrincipalName),
InitiPrinID = tostring(InitiatedBy.app.servicePrincipalId),
TargetUser = tostring(TargetResources[0].userPrincipalName),
RoleName = tostring(TargetResources[0].displayName),
ActivityDetails = tostring(ActivityDisplayName),
Result
| order by TimeGenerated desc
| take 1000
- Name: IdentityAccessReviewMonitoring
DisplayName: Get Access Review Monitoring
Description: >
Fetches Access Review logs to regularly review user access to various resources within your organization.
This can help ensure that users only have access to the resources they need for their job functions,
reducing the risk of insider threats.
ExamplePrompt:
- "Get all access review activities"
- "Fetch all access review activities"
- "List all access review monitoring events"
Settings:
Target: Defender
Template: |-
AuditLogs
| where TimeGenerated > ago(1d) // Filter for the last 1 days; adjust as needed
| where OperationName startswith "Access Review" or Category contains "Access Review" // Filter for Access Review related activities
| project
TimeGenerated,
OperationName,
InitiatedBy = tostring(InitiatedBy.user.userPrincipalName),
TargetUser = tostring(TargetResources[0].userPrincipalName),
TargetDisplayName = tostring(TargetResources[0].displayName),
TargetResourceType = tostring(TargetResources[0].type),
ActivityDetails = tostring(ActivityDisplayName),
Result,
CorrelationId
| order by TimeGenerated desc
| take 1000
23 changes: 23 additions & 0 deletions Plugins/Community Based Plugins/Identity/readme.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
# Custom Identity Security Analyst plugin for Copilot for Security

The custom Identity Security skills to query Identity events for detection and forensics hunting across User Risk Assessment, Sign-in Monitoring, Admin Activity Monitoring, Application Usage Monitoring, Privileged Identity Management, Access Review:

## Key Features

### User Risk Assessment
Fetches the user risk levels based on their activities. This could include sign-in attempts from unfamiliar locations, repeated failed sign-in attempts, or other suspicious behavior.

### Users Sign-in activities
Fetches all user sign-in activities. This includes successful sign-ins, failed attempts, and the location and device used for sign-in. Any unusual sign-in activity could be a sign of a potential security threat.

### Admin activities monitoring
Fetches Admin Activity Monitoring logs. Admin accounts have high-level access and can be a prime target for attackers. Monitor all admin activities, especially those involving changes to security settings, user privileges, or access controls.

### Applications usage monitoring
Fetches Application Usage Monitoring logs to keep an eye on the usage of applications within your organization. Unusual application activity, such as a high number of downloads or an increase in usage outside of normal business hours, could indicate a potential security issue.

### Privileged Identity Management (PIM) monitoring
Fetches Privileged Identity Management logs to monitor the lifecycle of privileged identities within your organization. This includes the creation, modification, and deletion of privileged accounts.

### Access Review monitoring
Fetches Access Review logs to regularly review user access to various resources within your organization. This can help ensure that users only have access to the resources they need for their job functions, reducing the risk of insider threats.

0 comments on commit b5a987d

Please sign in to comment.