Privileged User Logon from new ASN
Id | 55073036-bb86-47d3-a85a-b113ac3d9396 |
Rulename | Privileged User Logon from new ASN |
Description | Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins. |
Severity | Medium |
Tactics | DefenseEvasion |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory BehaviorAnalytics |
Kind | Scheduled |
Query frequency | 1d |
Query period | 7d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml |
Version | 1.0.3 |
Arm template | 55073036-bb86-47d3-a85a-b113ac3d9396.json |
let admins=(IdentityInfo
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
let known_asns = (
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admins)
| where AutonomousSystemNumber !in (known_asns)
| project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.
Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'
relevantTechniques:
- T1078.004
name: Privileged User Logon from new ASN
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.3
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPCustomEntity
tags:
- AADSecOpsGuide
id: 55073036-bb86-47d3-a85a-b113ac3d9396
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
kind: Scheduled
query: |
let admins=(IdentityInfo
| where AssignedRoles contains "admin"
| summarize by tolower(AccountUPN));
let known_asns = (
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admins)
| where AutonomousSystemNumber !in (known_asns)
| project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
| extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
queryPeriod: 7d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55073036-bb86-47d3-a85a-b113ac3d9396')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55073036-bb86-47d3-a85a-b113ac3d9396')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Privileged User Logon from new ASN",
"description": "'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\n Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'\n",
"severity": "Medium",
"enabled": true,
"query": "let admins=(IdentityInfo\n | where AssignedRoles contains \"admin\"\n | summarize by tolower(AccountUPN));\n let known_asns = (\n SigninLogs\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where ResultType == 0\n | summarize by AutonomousSystemNumber);\n SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType == 0\n | where tolower(UserPrincipalName) in (admins)\n | where AutonomousSystemNumber !in (known_asns)\n | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\n | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"DefenseEvasion"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "55073036-bb86-47d3-a85a-b113ac3d9396",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPCustomEntity"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml",
"tags": [
"AADSecOpsGuide"
],
"templateVersion": "1.0.3"
}
}
]
}