created new rule for NRT Authentication Methods Changed for VIP Users

.script/tests/KqlvalidationsTests/SkipValidationsTemplates.json

@@ -99,6 +99,11 @@
     "templateName": "vimNetworkSessionMicrosoftMD4IoT.yaml",
     "validationFailReason": "The name 'LocalPort' does not refer to any known column, table, variable or function."
   },
+  {    
+    "id": "29e99017-e28d-47be-8b9a-c8c711f8a903",
+    "templateName": "NRT_AuthenticationMethodsChangedforVIPUsers.yaml",
+    "validationFailReason": "The name 'User Principal Name' does not refer to any known column, table, variable or function"  
+  },
   {
     "id": "078a6526-e94e-4cf1-a08e-83bc0186479f",
     "templateName": "Anomalous AAD Account Manipulation.yaml",
@@ -1169,4 +1174,4 @@
     "templateName": "UserAgentSearch_log4j.yaml",
     "validationFailReason": "Since the content moved to new location, created dummy file with guidence for redirecting the customers to new location"
   },
-]
+]

Detections/AuditLogs/NRT_AuthenticationMethodsChangedforVIPUsers.yaml

@@ -0,0 +1,37 @@
+id: 29e99017-e28d-47be-8b9a-c8c711f8a903
+name: NRT Authentication Methods Changed for VIP Users 
+description: |
+  'Identifies authentication methods being changed for a list of VIP users watchlist. This could be an indication of an attacker adding an auth method to the account so they can have continued access.'
+severity: Medium
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectory
+    dataTypes:
+      - AuditLogs
+tactics:
+  - Persistence
+relevantTechniques:
+  - T1098
+tags:
+  - AADSecOpsGuide
+query: |
+  let security_info_actions = dynamic(["User registered security info", "User changed default security info", "User deleted security info", "Admin updated security info", "User reviewed security info", "Admin deleted security info", "Admin registered security info"]);
+  let VIPUsers = (_GetWatchlist('VIPUsers') | distinct ["User Principal Name"]);
+  AuditLogs
+  | where Category =~ "UserManagement"
+  | where ActivityDisplayName in (security_info_actions)
+  | extend Initiator = tostring(InitiatedBy.user.userPrincipalName)
+  | extend IP = tostring(InitiatedBy.user.ipAddress)
+  | extend Target = tolower(tostring(TargetResources[0].userPrincipalName))
+  | where Target in (VIPUsers)
+  | summarize Start=min(TimeGenerated), End=max(TimeGenerated), Actions = make_set(ResultReason) by Initiator, IP, Result, Target
+entityMappings:
+  - entityType: Account
+    fieldMappings:
+      - identifier: FullName
+        columnName: Targets
+  - entityType: IP
+    fieldMappings:
+      - identifier: Address
+        columnName: IP
+version: 1.0.0
+kind: NRT