Anomolous Single Factor Signin
| Id | f7c3f5c8-71ea-49ff-b8b3-148f0e346291 |
| Rulename | Anomolous Single Factor Signin |
| Description | Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in |
| Severity | Low |
| Tactics | InitialAccess |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml |
| Version | 1.0.3 |
| Arm template | f7c3f5c8-71ea-49ff-b8b3-148f0e346291.json |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
relevantTechniques:
- T1078.004
queryPeriod: 7d
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
triggerThreshold: 0
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IPAddress
entityType: IP
name: Anomolous Single Factor Signin
tags:
- AADSecOpsGuide
query: |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
queryFrequency: 1d
id: f7c3f5c8-71ea-49ff-b8b3-148f0e346291
severity: Low
description: |
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
metadata:
source:
kind: Community
categories:
domains:
- Security - Others
support:
tier: Community
author:
name: Pete Bryan
version: 1.0.3
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml
kind: Scheduled
triggerOperator: gt
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"properties": {
"alertRuleTemplateName": "f7c3f5c8-71ea-49ff-b8b3-148f0e346291",
"customDetails": null,
"description": "'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'\n",
"displayName": "Anomolous Single Factor Signin",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml",
"query": "let known_locations = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | summarize by LocationDetail);\n let known_asn = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | summarize by AutonomousSystemNumber);\n SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType == 0\n | where isempty(DeviceDetail.deviceId)\n | where AuthenticationRequirement == \"singleFactorAuthentication\"\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}