TEAM: Huntress SIEM
PRODUCT: Huntress Managed SIEM
ENVIRONMENT: ITDR
SUMMARY: Starter Queries for Azure Active Directory
Query List
Failed Authentication Attempts
Enabling/Disabling Multi-Factor Authentication
Failed Authentication Attempts
Description
This search returns authentication failures against Azure Active Directory accounts and systems. Additional filters can be applied to limit results to specific failure reasons.
Search Query
from logs
| where event.provider=="ITDR"
| where itdr.Operation=="UserLoginFailed"
| keep itdr.UserKey, itdr.UserId, itdr.ClientIP, itdr.LogonError
Additional Filters
The additional "where" clause restricts the reason for failure to conditional access failures.
from logs
| where event.provider=="ITDR"
| where itdr.Operation=="UserLoginFailed"
| where itdr.ErrorNumber=="50131" OR itdr.ErrorNumber=="53003" OR itdr.ErrorNumber=="530032"
| keep itdr.UserKey, itdr.UserId, itdr.ClientIP, itdr.LogonError
Kept Field Breakdown
Field |
Description |
---|---|
itdr.UserKey |
An alternate ID for the account when a UPN is not present/available. |
itdr.UserId |
The User Principal Name (UPN) of the account that attempted to authenticate. |
itdr.ClientIP |
The source IP of the authentication attempt. |
itdr.LogonError |
A description for why the authentication attempt failed. |
Global Admin Role Assignments
Description
This search returns results showing an Azure account being added to the Global Administrator role. This role grants admin permissions across the entire tenant and all services hosted within. Instances where this occurs as part of normal, background activity are excluded.
Search Query
from logs
| where event.provider=="ITDR"
| where itdr.Operation=="Add member to role."
| where itdr.ModifiedProperties LIKE "%Global Administrator%"
| where itdr.UserType!="4"
| keep itdr.UserId, itdr.ObjectId
Kept Field Breakdown
Field |
Description |
---|---|
itdr.UserId |
The account that performed the action. |
itdr.ObjectId |
The account that was added to the Global Administrator role. |
Enabling/Disabling Multi-Factor Authentication
Description
This search returns changes made to an account’s multi-factor authentication state. This is frequently done by system processes as part of account onboarding and off-boarding. Any instances of non-system accounts performing this activity
Search Query
from logs
| where event.provider=="ITDR"
| where itdr.Operation=="Enable Strong Authentication." OR itdr.Operation=="Disable Strong Authentication."
| keep itdr.Operation, itdr.UserId, itdr.UserType, itdr.ObjectId
Additional Filter Options
Removes instances where the account performing the action is a system account.
from logs
| where event.provider=="ITDR"
| where itdr.Operation=="Enable Strong Authentication." OR itdr.Operation=="Disable Strong Authentication."
| where itdr.UserType!=”4”
| keep itdr.Operation, itdr.UserId, itdr.UserType, itdr.ObjectId
Kept Field Breakdown
Field |
Description |
---|---|
itdr.Operation |
The operation performed. Indicates whether MFA was added or removed from the target account. |
itdr.UserId |
The User Principal Name (UPN) of the account that performed the action. |
itdr.UserType |
The type of account that performed the action. Types are defined here. |
itdr.ObjectId |
The UPN of the account that was modified. |