Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Risky user signin observed in non-Microsoft network device

Back
Id042f2801-a375-4cfd-bd29-041fc7ed88a0
RulenameRisky user signin observed in non-Microsoft network device
DescriptionThis content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.
SeverityMedium
TacticsCommandAndControl
TechniquesT1071
Required data connectorsAzureActiveDirectory
CheckPoint
Fortinet
PaloAltoNetworks
Zscaler
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml
Version1.0.5
Arm template042f2801-a375-4cfd-bd29-041fc7ed88a0.json
Deploy To Azure

SigninLogs
//Find risky Signin
| where RiskState == "atRisk" and ResultType == 0
| extend Signin_Time = TimeGenerated
| summarize
    AppDisplayName=make_set(AppDisplayName),
    ClientAppUsed=make_set(ClientAppUsed),
    UserAgent=make_set(UserAgent),
    CorrelationId=make_set(CorrelationId),
    Signin_Time= min(Signin_Time),
    RiskEventTypes=make_set(RiskEventTypes)
    by
    ConditionalAccessStatus,
    IPAddress,
    IsRisky,
    ResourceDisplayName,
    RiskDetail,
    ResultType,
    RiskLevelAggregated,
    RiskLevelDuringSignIn,
    RiskState,
    UserPrincipalName=tostring(tolower(UserPrincipalName)),
    SourceSystem
| join kind=inner (
    CommonSecurityLog
    | where DeviceVendor has_any  ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
    | where DeviceProduct startswith "FortiGate" or DeviceProduct startswith  "PAN" or DeviceProduct startswith  "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith  "NSSWeblog" or DeviceProduct startswith "URL"
    | where DeviceAction != "Block"
    | where isnotempty(RequestURL)
    | where isnotempty(SourceUserName)
    | extend SourceUserName = tolower(SourceUserName)
    | summarize
        min(TimeGenerated),
        max(TimeGenerated),
        Activity=make_set(Activity)
        by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct
    | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,"@")[0]),UPNSuffix =tostring(split(SourceUserName,"@")[1]))
    on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName
| extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)
| where Timediff <= 1 and Timediff >= 0
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1071
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - CommonSecurityLog (PaloAlto)
  connectorId: PaloAltoNetworks
- dataTypes:
  - CommonSecurityLog (Fortinet)
  connectorId: Fortinet
- dataTypes:
  - CommonSecurityLog (CheckPoint)
  connectorId: CheckPoint
- dataTypes:
  - CommonSecurityLog (Zscaler)
  connectorId: Zscaler
queryPeriod: 1d
tactics:
- CommandAndControl
severity: Medium
triggerOperator: gt
description: |
    'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'
query: |2

  SigninLogs
  //Find risky Signin
  | where RiskState == "atRisk" and ResultType == 0
  | extend Signin_Time = TimeGenerated
  | summarize
      AppDisplayName=make_set(AppDisplayName),
      ClientAppUsed=make_set(ClientAppUsed),
      UserAgent=make_set(UserAgent),
      CorrelationId=make_set(CorrelationId),
      Signin_Time= min(Signin_Time),
      RiskEventTypes=make_set(RiskEventTypes)
      by
      ConditionalAccessStatus,
      IPAddress,
      IsRisky,
      ResourceDisplayName,
      RiskDetail,
      ResultType,
      RiskLevelAggregated,
      RiskLevelDuringSignIn,
      RiskState,
      UserPrincipalName=tostring(tolower(UserPrincipalName)),
      SourceSystem
  | join kind=inner (
      CommonSecurityLog
      | where DeviceVendor has_any  ("Palo Alto Networks", "Fortinet", "Check Point", "Zscaler")
      | where DeviceProduct startswith "FortiGate" or DeviceProduct startswith  "PAN" or DeviceProduct startswith  "VPN" or DeviceProduct startswith "FireWall" or DeviceProduct startswith  "NSSWeblog" or DeviceProduct startswith "URL"
      | where DeviceAction != "Block"
      | where isnotempty(RequestURL)
      | where isnotempty(SourceUserName)
      | extend SourceUserName = tolower(SourceUserName)
      | summarize
          min(TimeGenerated),
          max(TimeGenerated),
          Activity=make_set(Activity)
          by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct
      | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,"@")[0]),UPNSuffix =tostring(split(SourceUserName,"@")[1]))
      on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName
  | extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)
  | where Timediff <= 1 and Timediff >= 0
name: Risky user signin observed in non-Microsoft network device
version: 1.0.5
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Threat Protection
  author:
    name: Arjun Trivedi
  source:
    kind: Community
id: 042f2801-a375-4cfd-bd29-041fc7ed88a0
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
  - columnName: Name
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: DestinationIP
    identifier: Address
- entityType: DNS
  fieldMappings:
  - columnName: DestinationHostName
    identifier: DomainName
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/042f2801-a375-4cfd-bd29-041fc7ed88a0')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/042f2801-a375-4cfd-bd29-041fc7ed88a0')]",
      "properties": {
        "alertRuleTemplateName": "042f2801-a375-4cfd-bd29-041fc7ed88a0",
        "customDetails": null,
        "description": "'This content is utilized to identify instances of successful login by risky users, who have been observed engaging in potentially suspicious network activity on non-Microsoft network devices.'\n",
        "displayName": "Risky user signin observed in non-Microsoft network device",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "Name",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "DestinationIP",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "DNS",
            "fieldMappings": [
              {
                "columnName": "DestinationHostName",
                "identifier": "DomainName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/MultipleDataSources/RiskyUserIn3Pnetworkactivity.yaml",
        "query": "\nSigninLogs\n//Find risky Signin\n| where RiskState == \"atRisk\" and ResultType == 0\n| extend Signin_Time = TimeGenerated\n| summarize\n    AppDisplayName=make_set(AppDisplayName),\n    ClientAppUsed=make_set(ClientAppUsed),\n    UserAgent=make_set(UserAgent),\n    CorrelationId=make_set(CorrelationId),\n    Signin_Time= min(Signin_Time),\n    RiskEventTypes=make_set(RiskEventTypes)\n    by\n    ConditionalAccessStatus,\n    IPAddress,\n    IsRisky,\n    ResourceDisplayName,\n    RiskDetail,\n    ResultType,\n    RiskLevelAggregated,\n    RiskLevelDuringSignIn,\n    RiskState,\n    UserPrincipalName=tostring(tolower(UserPrincipalName)),\n    SourceSystem\n| join kind=inner (\n    CommonSecurityLog\n    | where DeviceVendor has_any  (\"Palo Alto Networks\", \"Fortinet\", \"Check Point\", \"Zscaler\")\n    | where DeviceProduct startswith \"FortiGate\" or DeviceProduct startswith  \"PAN\" or DeviceProduct startswith  \"VPN\" or DeviceProduct startswith \"FireWall\" or DeviceProduct startswith  \"NSSWeblog\" or DeviceProduct startswith \"URL\"\n    | where DeviceAction != \"Block\"\n    | where isnotempty(RequestURL)\n    | where isnotempty(SourceUserName)\n    | extend SourceUserName = tolower(SourceUserName)\n    | summarize\n        min(TimeGenerated),\n        max(TimeGenerated),\n        Activity=make_set(Activity)\n        by DestinationHostName, DestinationIP, RequestURL, SourceUserName=tostring(tolower(SourceUserName)),DeviceVendor,DeviceProduct\n    | extend 3p_observed_Time= min_TimeGenerated,Name = tostring(split(SourceUserName,\"@\")[0]),UPNSuffix =tostring(split(SourceUserName,\"@\")[1]))\n    on $left.IPAddress == $right.DestinationIP and $left.UserPrincipalName == $right.SourceUserName\n| extend Timediff = datetime_diff('day', 3p_observed_Time, Signin_Time)\n| where Timediff <= 1 and Timediff >= 0\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CommandAndControl"
        ],
        "techniques": [
          "T1071"
        ],
        "templateVersion": "1.0.5",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}