Azure - User Investigation
This playbook performs an investigation on a specific user in Azure environments, using queries and logs from Azure Log Analytics to locate the following activities performed by the user: - Script-based user agent usage - Administrative user activities - Security rules and policies changes - Failed login attempt - MFA failed login attempt - Login attempt from an uncommon country - Anomalies activities - Risky users - Uncommon high volume of actions - Action uncommonly performed by the user
Azure Enrichment and Remediation · 36 tasks · 4 inputs · 19 outputs
Inputs
Username— The username to investigate.AzureSearchTime— The Search Time for the Azure Log Analytics search query. Default value: ago(1d)failedLogonThreshold— The threshold number of failed logons by the user. Required to determine how many failed logon events count as suspicious events.MfaAttemptThreshold— The threshold number of MFA failed logons by the user. Required to determine how many MFA failed logon events count as suspicious events.
Outputs
AzureScriptBasedUserAgentEvents— Script-based user agent events used by the user in the Azure environment.CountAzureEvents.AzureScriptBasedUserAgentCount— The number of script-based user agent usages by the user in the Azure environment.AzureAdminActivitiesEvents— Administrative activities performed by the user in the Azure environment.CountAzureEvents.AzureAdminActivitiesCount— The number of administrative activities performed by the user in the Azure environment.AzureSecurityRulesChangeEvents— Security rules that were changed by the user in the Azure environment.CountAzureEvents.AzureSecurityRulesChangeCount— The number of security rules that were changed by the user in the Azure environment.AzureUnsuccessSecurityRulesChangeEvents— Unsuccessful attempts to change security rules by the user in the Azure environment.CountAzureEvents.AzureUnsuccessSecurityRulesChangeCount— The number of unsuccessful attempts to change security rules by the user in the Azure environment.AzureFailLoginCount— The number of failed logins by the user in the Azure environment.AzureFailLoginMFACount— The number of failed logins by the user using MFA in the Azure environment.AzureAnomaliesEvents— Anomaly events on the user in the Azure environment.CountAzureEvents.AzureAnomaliesCount— The number of anomaly events on the user in the Azure environment.AzureRiskyUserCount— The number of events where the user was defined as a risky user in the Azure environment.AzureUncommonCountryLogonEvents— Uncommon country logon events by the user in the Azure environment.CountAzureEvents.AzureUncommonCountryLogonCount— The number of uncommon country logon events by the user in the Azure environment.AzureUncommonVolumeEvents— Uncommon volume events by the user in the Azure environment.CountAzureEvents.AzureUncommonVolumeCount— The number of uncommon volume events by the user in the Azure environment.AzureUncommonActivitiesEvents— Uncommon activity events by the user in the Azure environment.CountAzureEvents.AzureUncommonActivitiesCount— The number of uncommon activity events by the user in the Azure environment.
Commands used
azure-log-analytics-execute-query