Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Attempts to sign in to disabled accounts

Back
Id75ea5c39-93e5-489b-b1e1-68fa6c9d2d04
RulenameAttempts to sign in to disabled accounts
DescriptionIdentifies failed attempts to sign in to disabled accounts across multiple Azure Applications.

Default threshold for Azure Applications attempted to sign in to is 3.

References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes

50057 - User account is disabled. The account has been disabled by an administrator.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml
Version1.0.1
Arm template75ea5c39-93e5-489b-b1e1-68fa6c9d2d04.json
Deploy To Azure
let threshold = 3;
let aadFunc = (tableName:string){
table(tableName)
| where ResultType == "50057"
| where ResultDescription =~ "User account is disabled. The account has been disabled by an administrator."
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),
applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type
| where applicationCount >= threshold
| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
name: Attempts to sign in to disabled accounts
query: |
  let threshold = 3;
  let aadFunc = (tableName:string){
  table(tableName)
  | where ResultType == "50057"
  | where ResultDescription =~ "User account is disabled. The account has been disabled by an administrator."
  | summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),
  applicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type
  | where applicationCount >= threshold
  | extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress
  };
  let aadSignin = aadFunc("SigninLogs");
  let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
  union isfuzzy=true aadSignin, aadNonInt  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - AADNonInteractiveUserSignInLogs
  connectorId: AzureActiveDirectory
version: 1.0.1
status: Available
queryPeriod: 1d
id: 75ea5c39-93e5-489b-b1e1-68fa6c9d2d04
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: FullName
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
relevantTechniques:
- T1078
severity: Medium
description: |
  'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.
  Default threshold for Azure Applications attempted to sign in to is 3.
  References: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes
  50057 - User account is disabled. The account has been disabled by an administrator.'  
kind: Scheduled
tactics:
- InitialAccess
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/75ea5c39-93e5-489b-b1e1-68fa6c9d2d04')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Attempts to sign in to disabled accounts",
        "description": "'Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.\nDefault threshold for Azure Applications attempted to sign in to is 3.\nReferences: https://docs.microsoft.com/azure/active-directory/reports-monitoring/reference-sign-ins-error-codes\n50057 - User account is disabled. The account has been disabled by an administrator.'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let threshold = 3;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where ResultType == \"50057\"\n| where ResultDescription =~ \"User account is disabled. The account has been disabled by an administrator.\"\n| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), applicationCount = dcount(AppDisplayName),\napplicationSet = make_set(AppDisplayName), count() by UserPrincipalName, IPAddress, Type\n| where applicationCount >= threshold\n| extend timestamp = StartTime, AccountCustomEntity = UserPrincipalName, IPCustomEntity = IPAddress\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "75ea5c39-93e5-489b-b1e1-68fa6c9d2d04",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "AccountCustomEntity"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "IPCustomEntity"
              }
            ],
            "entityType": "IP"
          }
        ],
        "status": "Available",
        "templateVersion": "1.0.1",
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/DisabledAccountSigninsAcrossManyApplications.yaml"
      }
    }
  ]
}