Splunk SOAR Playbooks: Conducting an Azure New User Census

Splunk is committed to using inclusive and unbiased language. This blog post might contain terminology that we no longer use. For more information on our updated terminology and our stance on biased language, please visit our blog post. We appreciate your understanding as we work towards making our community more inclusive for everyone.

In January and February of 2021, the threat actor called Hafnium used a number of post-exploitation tools after gaining access to Exchange servers through a zero-day exploit. One of their persistence methods was creating new user accounts in the domain, giving them the ability to log back into the network using normal authentication rather than use a web shell or continue to re-exploit the vulnerability (which has since been patched). There are several good Splunk detections and Phantom responses that can find a Hafnium-like attack earlier in the chain, but monitoring new user accounts from using a SOAR tool such as Splunk Phantom is one of the easiest to get started with and the least specific to any particular kind of attack. We already knew Active Directory was one of the most important systems for our security posture, and Hafnium just gave us a not-so-subtle reminder that we need to stay on top of it, whether on-premises through regular Active Directory or in the cloud with Azure Active Directory.

To get started with an account monitoring use case, our newest community playbook initiates a scheduled review of new accounts created in Azure Active Directory each week. The generated report shows some basic information about each of the new users and provides their user IDs for further investigation.

Once this playbook has been in use for a few weeks, the security team should have a good understanding of the frequency and common attributes of newly created accounts. After that, if a new account shows up with an irregular field such as a creation time in the middle of the night or an organizational unit that doesn’t make sense, then further investigation would be warranted. 

The Playbook: Azure New User Census

This playbook checks in every week with a list of new users created in Azure Active Directory:
 

The playbook starts by listing all users, then filters down to those with the createdDateTime within the last seven days. That lookback window can be adjusted using the datetime_modify function in the bottom left. Next, the playbook queries the Microsoft Graph API to cross-reference the new accounts and make sure that Phantom has access to investigation and containment actions in Office 365. At the end, the results are saved to artifacts, one for each user, and presented in an analyst note on the investigation page.

See It In Action

Deploying the Playbook

Here are the steps to get this playbook and use it:

1. If you don’t already have Phantom, you can sign up and download the free community version.
2. Configure the Azure AD Graph app on Phantom by following the Authentication instructions: 
3. Similarly, configure the Microsoft Graph Office 365 app on Phantom with these Authentication instructions: 
4. Configure a new Timer with a new label, such as azure_new_user_census
   1. As an example, set the schedule to once per week.
   2. If a different schedule is needed, be sure to change the datetime_modify block in the playbook to look back the correct number of hours, days, or months.
5. Configure and activate the playbook:
   1. Navigate to Home > Playbooks and search for “azure_new_user_census.” If it’s not there, use the Update from Source Control button and select community to download new community playbooks.
   2. Click on the playbook name to open it.
   3. Resolve the playbook import wizard by selecting the newly created apps.
   4. Set the label to azure_new_user_census (or whichever name was chosen above).
   5. Set the playbook to Active.
   6. Save the playbook.
       

Taking It Further

You can tune and extend this playbook with many variations of logic depending on how you’ve configured your Active Directory deployment and how your organization onboards new users. An allowlist could use the presence or value of any Active Directory attribute to filter out new users matching any criteria or automatically disable accounts not matching the necessary criteria. This playbook would also be a good candidate to interface with a ticketing system, messaging platform or email to notify the correct team members or validate information with someone who knows more about the activity.

Doing a simple hygiene check like this may also be a good first step towards more advanced Active Directory monitoring in Splunk Enterprise Security. If you are using Splunk tools for authentication activity, it might make sense to run a Splunk query from this playbook to check the login history of each account. Azure also provides a number of security services such as Azure Active Directory Identity Protection and Azure Privileged Identity Management, which can report on other suspicious user activity. However, try not to let a future plan for a more advanced monitoring solution get in the way of implementing something simple like this Azure New User Census. If nothing else, it will provide a baseline of new user activity that you can refer to later if something triggers a closer look.

This blog is part of a series called “SOAR in Seconds” where our distinguished Splunk Phantom experts guide you through how to use out-of-the-box playbooks and other features to automate repetitive tasks.

----------------------------------------------------
Thanks!
Philip Royer