shield_lock
JinDaGe
Back to MCP directory
publicPublicdnsLocal runtime

sentinel-queries

该项目提供了一系列KQL查询,用于检测Azure AD租户中与BloodHound BARK工具包相关的滥用行为。这些查询旨在识别BARK模拟的行为,而非工具本身的使用。内容包括针对不同BARK功能的检测查询、控制建议以及相关资源链接。

article

README

🚀 BARK

BARK 是一款用于检测 Azure Active Directory (Azure AD) 中潜在特权提升攻击的工具。它通过分析 Microsoft Sentinel 中的审核日志,能够精准识别异常或高风险活动,为系统安全保驾护航。

🚀 快速开始

以下将详细介绍 BARK 在不同场景下的检测查询方法以及控制/预防措施。

✨ 主要特性

  • 可对 Azure Active Directory (Azure AD) 进行潜在特权提升攻击检测。
  • 通过分析 Microsoft Sentinel 中的审核日志识别异常或高风险活动。

💻 使用示例

基础用法

检测查询(用户作为行为者,用户作为目标)

AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "User"
| extend Target = tostring(TargetResources[0].userPrincipalName)
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], Target, GroupName

检测查询(用户作为行为者,服务主体作为目标)

AuditLogs
| where OperationName == "Add member to group"
| extend Actor = tostring(parse_json(tostring(InitiatedBy.user)).userPrincipalName)
| extend ['Actor IP Address'] = tostring(parse_json(tostring(InitiatedBy.user)).ipAddress)
| extend GroupName = tostring(parse_json(tostring(parse_json(tostring(TargetResources[0].modifiedProperties))[1].newValue)))
| where TargetResources[0].type == "ServicePrincipal"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| project TimeGenerated, OperationName, Actor, ['Actor IP Address'], ['Target Service Principal Name'], ['Target Service Principal ObjectId'], GroupName

检测查询(服务主体作为行为者,用户作为目标)

AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)
| extend ['Actor Service Principal ObjectId'] = tostring(parse_json(tostring(InitiatedBy.app)).servicePrincipalId)
| where isnotempty(['Actor Service Principal ObjectId'])
| where ['Actor Service Principal Name'] != "MS-PIM"
| where TargetResources[0].type == "User"
| where GroupName in~ ("PrivilegedGroup1","PrivilegedGroup2")
| extend Target = tostring(TargetResources[0].userPrincipalName)
| project TimeGenerated, OperationName, ['Actor Service Principal Name'], ['Actor Service Principal ObjectId'], Target, GroupName

检测查询(服务主体作为行为者,服务主体作为目标)

AuditLogs
| where OperationName == "Add member to group"
| extend ['Actor Service Principal Name'] = tostring(parse_json(tostring(InitiatedBy.app)).displayName)

🔧 控制/预防

文档中未提及具体的控制/预防内容,但在实际使用 BARK 时,可根据检测结果及时采取相应的安全措施,如限制异常用户或服务主体的权限等。

📚 相关链接

文档中未给出具体的相关链接,若有需要可进一步补充相关资源链接,以便用户获取更多信息。

help

Runtime guide

cloud

Hosted runtime

Hosted servers run from a provider-managed environment. You usually connect the MCP client to the hosted endpoint or follow the provider's authorization flow, without keeping a local process alive

  1. Open provider connection page
  2. Authorize or copy endpoint
  3. Connect from your MCP client
terminal

Local runtime / other methods

Local servers run on your own machine or infrastructure. You normally copy the server_config into your MCP client, install the required package, and provide env variables from env_schema when needed

  1. Copy server_config
  2. Install required package
  3. Fill env variables and restart client