Privileged User Logon from new ASN

Back


Id	55073036-bb86-47d3-a85a-b113ac3d9396
Rulename	Privileged User Logon from new ASN
Description	Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.
Severity	Medium
Tactics	DefenseEvasion
Techniques	T1078.004
Required data connectors	AzureActiveDirectory BehaviorAnalytics
Kind	Scheduled
Query frequency	1d
Query period	7d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml
Version	1.0.3
Arm template	55073036-bb86-47d3-a85a-b113ac3d9396.json

KQL

let admins=(IdentityInfo
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  let known_asns = (
  SigninLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where ResultType == 0
  | summarize by AutonomousSystemNumber);
  SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | where tolower(UserPrincipalName) in (admins)
  | where AutonomousSystemNumber !in (known_asns)
  | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
  | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress

YAML

queryFrequency: 1d
triggerOperator: gt
tactics:
- DefenseEvasion
description: |
  'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.
    Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'  
relevantTechniques:
- T1078.004
name: Privileged User Logon from new ASN
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml
severity: Medium
triggerThreshold: 0
version: 1.0.3
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
tags:
- AADSecOpsGuide
id: 55073036-bb86-47d3-a85a-b113ac3d9396
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - BehaviorAnalytics
kind: Scheduled
query: |
  let admins=(IdentityInfo
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    let known_asns = (
    SigninLogs
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where ResultType == 0
    | summarize by AutonomousSystemNumber);
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where tolower(UserPrincipalName) in (admins)
    | where AutonomousSystemNumber !in (known_asns)
    | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
    | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress  
queryPeriod: 7d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55073036-bb86-47d3-a85a-b113ac3d9396')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55073036-bb86-47d3-a85a-b113ac3d9396')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Privileged User Logon from new ASN",
        "description": "'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\n  Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let admins=(IdentityInfo\n  | where AssignedRoles contains \"admin\"\n  | summarize by tolower(AccountUPN));\n  let known_asns = (\n  SigninLogs\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where ResultType == 0\n  | summarize by AutonomousSystemNumber);\n  SigninLogs\n  | where TimeGenerated > ago(1d)\n  | where ResultType == 0\n  | where tolower(UserPrincipalName) in (admins)\n  | where AutonomousSystemNumber !in (known_asns)\n  | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\n  | extend AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P7D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "55073036-bb86-47d3-a85a-b113ac3d9396",
        "customDetails": null,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml",
        "tags": [
          "AADSecOpsGuide"
        ],
        "templateVersion": "1.0.3"
      }
    }
  ]
}