Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. FO - Unusual sign-in activity using single factor authentication

FO - Unusual sign-in activity using single factor authentication

Back
Id919e939f-95e2-4978-846e-13a721c89ea1
RulenameF&O - Unusual sign-in activity using single factor authentication
DescriptionIdentifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.
SeverityLow
TacticsCredentialAccess
InitialAccess
TechniquesT1552
T1078
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
Version3.2.0
Arm template919e939f-95e2-4978-846e-13a721c89ea1.json
Deploy To Azure
// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
let query_frequency = 1h;
let query_lookback = 14d;
let historical_sign_in_activity = SigninLogs
    | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
let historical_sign_in_locations = historical_sign_in_activity
    | summarize by Location;
let multifactor_sign_in_count = toscalar(historical_sign_in_activity
    | where AppId in (appid_list) and ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | summarize count());
SigninLogs
| where TimeGenerated >= ago(query_frequency)
| where AppId in (appid_list) and ResultType == 0
| where multifactor_sign_in_count > 0
| where Location !in (historical_sign_in_locations)
| where NetworkLocationDetails !has "trustedNamedLocation"
| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
| extend
    CloudAppId = 32780,
    AccountName = tostring(split(UserPrincipalName, "@")[0]),
    UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
| project
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    CloudAppId,
    AccountName,
    UPNSuffix

queryFrequency: 1h
relevantTechniques:
- T1552
- T1078
tactics:
- CredentialAccess
- InitialAccess
id: 919e939f-95e2-4978-846e-13a721c89ea1
triggerOperator: gt
triggerThreshold: 0
query: |
  // Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
  // Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
  let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
  let query_frequency = 1h;
  let query_lookback = 14d;
  let historical_sign_in_activity = SigninLogs
      | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
  let historical_sign_in_locations = historical_sign_in_activity
      | summarize by Location;
  let multifactor_sign_in_count = toscalar(historical_sign_in_activity
      | where AppId in (appid_list) and ResultType == 0
      | where AuthenticationRequirement == "multiFactorAuthentication"
      | summarize count());
  SigninLogs
  | where TimeGenerated >= ago(query_frequency)
  | where AppId in (appid_list) and ResultType == 0
  | where multifactor_sign_in_count > 0
  | where Location !in (historical_sign_in_locations)
  | where NetworkLocationDetails !has "trustedNamedLocation"
  | summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
  | extend
      CloudAppId = 32780,
      AccountName = tostring(split(UserPrincipalName, "@")[0]),
      UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
  | project
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      CloudAppId,
      AccountName,
      UPNSuffix  
severity: Low
eventGroupingSettings:
  aggregationKind: SingleAlert
kind: Scheduled
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
version: 3.2.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
name: F&O - Unusual sign-in activity using single factor authentication
description: Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.
alertDetailsOverride:
  alertDescriptionFormat: Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.
  alertDisplayNameFormat: Dynamics 365 F&O - Unusual sign-in without multi-factor authentication
status: Available
queryPeriod: 14d