Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Privileged User Logon from new ASN

Back
Id55073036-bb86-47d3-a85a-b113ac3d9396
RulenamePrivileged User Logon from new ASN
DescriptionDetects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.

Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.
SeverityMedium
TacticsDefenseEvasion
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml
Version1.0.6
Arm template55073036-bb86-47d3-a85a-b113ac3d9396.json
Deploy To Azure
let admins=(IdentityInfo
  | where AssignedRoles contains "admin" or GroupMembership has "Admin"
  | summarize by tolower(AccountUPN));
  let known_asns = (
  SigninLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where ResultType == 0
  | summarize by AutonomousSystemNumber);
  SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | where tolower(UserPrincipalName) in (admins)
  | where AutonomousSystemNumber !in (known_asns)
  | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserPrincipalName
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: AccountUPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
queryFrequency: 1d
name: Privileged User Logon from new ASN
severity: Medium
kind: Scheduled
tactics:
- DefenseEvasion
metadata:
  author:
    name: Microsoft Security Research
  source:
    kind: Community
  categories:
    domains:
    - Identity
    - Security - Others
  support:
    tier: Community
triggerThreshold: 0
query: |
  let admins=(IdentityInfo
    | where AssignedRoles contains "admin" or GroupMembership has "Admin"
    | summarize by tolower(AccountUPN));
    let known_asns = (
    SigninLogs
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where ResultType == 0
    | summarize by AutonomousSystemNumber);
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where tolower(UserPrincipalName) in (admins)
    | where AutonomousSystemNumber !in (known_asns)
    | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
    | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])  
triggerOperator: gt
queryPeriod: 7d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
id: 55073036-bb86-47d3-a85a-b113ac3d9396
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
- connectorId: BehaviorAnalytics
  dataTypes:
  - BehaviorAnalytics
- connectorId: BehaviorAnalytics
  dataTypes:
  - IdentityInfo
version: 1.0.6
description: |
  'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.
    Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'  
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/55073036-bb86-47d3-a85a-b113ac3d9396')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/55073036-bb86-47d3-a85a-b113ac3d9396')]",
      "properties": {
        "alertRuleTemplateName": "55073036-bb86-47d3-a85a-b113ac3d9396",
        "customDetails": null,
        "description": "'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.\n  Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'\n",
        "displayName": "Privileged User Logon from new ASN",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              },
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "AccountUPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml",
        "query": "let admins=(IdentityInfo\n  | where AssignedRoles contains \"admin\" or GroupMembership has \"Admin\"\n  | summarize by tolower(AccountUPN));\n  let known_asns = (\n  SigninLogs\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where ResultType == 0\n  | summarize by AutonomousSystemNumber);\n  SigninLogs\n  | where TimeGenerated > ago(1d)\n  | where ResultType == 0\n  | where tolower(UserPrincipalName) in (admins)\n  | where AutonomousSystemNumber !in (known_asns)\n  | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber\n  | extend AccountName = tostring(split(UserPrincipalName, \"@\")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "subTechniques": [
          "T1078.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "DefenseEvasion"
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.6",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}