UEBA Essentials solution now available in Content Hub!

Posted on by No Comments ↓

This post has been republished via RSS; it originally appeared at: Microsoft Tech Community - Latest Blogs - .

Microsoft Sentinel User Entity Behavior Analytics (UEBA) allows security teams to identify threats that elude classic detection methods. It achieves this by building baseline behavioral profiles of your organization’s entities (such as users, hosts, IP addresses, and applications) across time and peer group horizon, and identifying anomalous activity that deviates from normal behavior. Not only that, but it can also figure out the relative sensitivity of particular assets, identify peer groups of assets, and evaluate the potential impact of any given compromised asset (its “blast radius”).

 

Our UEBA engine uses several tables in the Microsoft Sentinel workspace to hold all these valuable insights and anomalies, which you can then access by using KQL queries in the different Microsoft Sentinel experiences, such as analytics rules, hunting queries, workbooks or just plain log exploration.

 

Today, we are announcing the new UEBA Essentials solution available in Content Hub, which packages 23 hunting queries that immediately unlock valuable insights provided by Microsoft Sentinel UEBA. 9 of those queries are brand new content that use correlation with other data sources and some of our watchlist templates. In the following table we summarize the new content:

 

Query name

Description

KQL query

Comments

Terminated employee accessing High Value Asset

Shows all users tagged as terminated employees in the Terminated Employees watchlist that had activities after their termination date

 
_GetWatchlist('HighValueAssets')
  | join ( BehaviorAnalytics 
          | where ActionType contains "ResourceAccess") 
          on $left.['Asset Name'] == $right.DestinationDevice
  | join _GetWatchlist('TerminatedEmployees')
    on $left.UserPrincipalName == $right.['User Principal Name']
  | extend AadUserId = UsersInsights.AccountObjectID

Must have defined watchlist template HighValueAssets

Activity from terminated employees after their termination date

Shows all users tagged as terminated employees in the Terminated Employees watchlist that had activities after their termination date

 
_GetWatchlist('TerminatedEmployees')
  | join (BehaviorAnalytics)
    on $left.['User Principal Name'] == $right.UserPrincipalName
  | where TimeGenerated > todatetime(['Termination date'])
  | extend AadUserId = UsersInsights.AccountObjectID

Must have defined watchlist template TerminatedEmployees

Anomalous update Key Vault activity by high blast radius user

Shows all update Key Vault activities done by a user with a High blast radius. If the activity is performed for the first time (by the user or in the tenant) or if the activity originated in a never seen before country

 
BehaviorAnalytics
  | where ActivityType == "Administrative"
  | where ActionType == "Update Key Vault"
  | where UsersInsights.BlastRadius == "High"
  | where ActivityInsights.FirstTimeActionPerformedInTenant == true or
    ActivityInsights.FirstTimeUserPerformedAction == true or ActivityInsights.FirstTimeConnectionFromCountryObservedInTenant == true
  | extend AadUserId = UsersInsights.AccountObjectID

Have onboarded Azure Activity logs and using Azure Key Vault resources

Anomalous login activity originated from Botnet, Tor proxy or C2

Shows login activity (successful or failed) originated from botnet, Tor proxy or C2, with at least one 'True' activity insight

 
BehaviorAnalytics
  | where ActivityType == 'LogOn' or ActivityType == 'FailedLogOn'
  | where DevicesInsights.ThreatIntelIndicatorType == 'Botnet'
    or DevicesInsights.ThreatIntelIndicatorType == 'C2'
    or DevicesInsights.ThreatIntelIndicatorType == 'Proxy'
  | where ActivityInsights contains 'True'
  | extend AadUserId = UsersInsights.AccountObjectID

Requires onboarding AAD Sign-in logs

or

Windows Security Events

Anomalies on users tagged as VIP

Shows all users tagged as VIP in the VIP users watchlist that had anomalies with a score greater than 0

 
BehaviorAnalytics
  | where UserInsights.IsVIPUser == True
  | where InvestigationPriority > 0
  | extend AadUserId = UsersInsights.AccountObjectID

N/A

Anomalous action performed in tenant by privileged user

Shows activities that have never been executed in the tenant, performed by a user with high privileges

 
BehaviorAnalytics
  | where ActivityInsights.FirstTimeActionPerformedInTenant == True
  | where UsersInsights.BlastRadius == 'High'
  | extend AadUserId = UsersInsights.AccountObjectID

N/A

Dormant account activity from uncommon country

Shows dormant accounts (not active in last 180 days), that connect from a country for the first time and the country is uncommon in the tenant or is the first time the ISP is used

 
BehaviorAnalytics
  | where UsersInsights.IsDormantAccount == True
  | where ActivityInsights.FirstTimeUserConnectedFromCountry == True
  | where ActivityInsights.CountryUncommonlyConnectedFromInTenant == True
    or ActivityInsights.FirstTimeConnectionViaISPInTenant == True
  | extend AadUserId = UsersInsights.AccountObjectID

N/A

Anomalous connection from highly privileged user

Shows all users from a given department, which have high impact on the organization, who connected to a resource for the first time, and none of their peers accessed it

 
let Group = 'Helpdesk';
  IdentityInfo
  | summarize arg_max(TimeGenerated, *) by AccountObjectId //get latest information
  | where Department == Group
  | where BlastRadius == 'High'
  | join ( BehaviorAnalytics
           | where ActivityType == 'LogOn'
           | where ActionType == 'ResourceAccess' //filter for specific activties
           | where ActivityInsights.FirstTimeUserAccessedResource == True
           | where ActivityInsights.ResourceUncommonlyAccessedAmongPeers == True )
  on $left.AccountUPN == $right.UserPrincipalName
  | extend AadUserId = UsersInsights.AccountObjectID

Requires onboarding AAD Sign-in logs

or

Windows Security Events.

 

Modify the group variable in the query to match your environment

New account added to admin group

Account created in the last 7 days that is added to administrators group

 
let adminGroup = 'Administrators';
  IdentityInfo
  | where AccountCreationTime < ago(7d)
  | where GroupMembership contains adminGroup

Modify the adminGroup variable in the query to match your environment

 

Getting started

In order to install this new solution, you will have to follow these steps:

 

  1. (Prerequisite) Create your Microsoft Sentinel workspace if you don’t have one already
  2. (Prerequisite) Enable UEBA and select relevant data sources (see details at Use entity behavior analytics to detect advanced threats | Microsoft Learn)
  3. Go to Content Hub and search for "UEBA Essentials"
  4. Select the "UEBA Essentials" solution and click install
  5. Follow the installation wizard

Call to action

Go ahead to our Content Hub and start benefiting from these queries that show the great value Microsoft Sentinel’s UEBA can provide to security teams :smiling_face_with_smiling_eyes: and feel free to leave your feedback below or in the marketplace reviews.

 

Leave a Reply

Your email address will not be published. Required fields are marked *

*

This site uses Akismet to reduce spam. Learn how your comment data is processed.