Anomolous Single Factor Signin
Id | f7c3f5c8-71ea-49ff-b8b3-148f0e346291 |
Rulename | Anomolous Single Factor Signin |
Description | Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in |
Severity | Low |
Tactics | InitialAccess |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 7d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml |
Version | 1.0.3 |
Arm template | f7c3f5c8-71ea-49ff-b8b3-148f0e346291.json |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
triggerOperator: gt
queryFrequency: 1d
description: |
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
version: 1.0.3
kind: Scheduled
triggerThreshold: 0
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
queryPeriod: 7d
name: Anomolous Single Factor Signin
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml
id: f7c3f5c8-71ea-49ff-b8b3-148f0e346291
tags:
- AADSecOpsGuide
tactics:
- InitialAccess
metadata:
source:
kind: Community
author:
name: Pete Bryan
categories:
domains:
- Security - Others
support:
tier: Community
relevantTechniques:
- T1078.004
severity: Low
entityMappings:
- fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IPAddress
entityType: IP
query: |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2023-02-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"properties": {
"alertRuleTemplateName": "f7c3f5c8-71ea-49ff-b8b3-148f0e346291",
"customDetails": null,
"description": "'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'\n",
"displayName": "Anomolous Single Factor Signin",
"enabled": true,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "FullName"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml",
"query": "let known_locations = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | summarize by LocationDetail);\n let known_asn = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | summarize by AutonomousSystemNumber);\n SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType == 0\n | where isempty(DeviceDetail.deviceId)\n | where AuthenticationRequirement == \"singleFactorAuthentication\"\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"severity": "Low",
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"tags": [
"AADSecOpsGuide"
],
"techniques": [
"T1078"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}