FO - Unusual sign-in activity using single factor authentication

Back


Id	919e939f-95e2-4978-846e-13a721c89ea1
Rulename	F&O - Unusual sign-in activity using single factor authentication
Description	Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.
Severity	Low
Tactics	CredentialAccess InitialAccess
Techniques	T1552 T1078
Required data connectors	AzureActiveDirectory
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
Version	3.2.0
Arm template	919e939f-95e2-4978-846e-13a721c89ea1.json

KQL

// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
let query_frequency = 1h;
let query_lookback = 14d;
let historical_sign_in_activity = SigninLogs
    | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
let historical_sign_in_locations = historical_sign_in_activity
    | summarize by Location;
let multifactor_sign_in_count = toscalar(historical_sign_in_activity
    | where AppId in (appid_list) and ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | summarize count());
SigninLogs
| where TimeGenerated >= ago(query_frequency)
| where AppId in (appid_list) and ResultType == 0
| where multifactor_sign_in_count > 0
| where Location !in (historical_sign_in_locations)
| where NetworkLocationDetails !has "trustedNamedLocation"
| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
| extend
    CloudAppId = 32780,
    AccountName = tostring(split(UserPrincipalName, "@")[0]),
    UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
| project
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    CloudAppId,
    AccountName,
    UPNSuffix

YAML

relevantTechniques:
- T1552
- T1078
name: F&O - Unusual sign-in activity using single factor authentication
queryPeriod: 14d
triggerThreshold: 0
alertDetailsOverride:
  alertDescriptionFormat: Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.
  alertDisplayNameFormat: Dynamics 365 F&O - Unusual sign-in without multi-factor authentication
id: 919e939f-95e2-4978-846e-13a721c89ea1
eventGroupingSettings:
  aggregationKind: SingleAlert
severity: Low
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
description: Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.
version: 3.2.0
status: Available
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountName
    identifier: Name
  - columnName: UPNSuffix
    identifier: UPNSuffix
- entityType: IP
  fieldMappings:
  - columnName: IPAddress
    identifier: Address
- entityType: CloudApplication
  fieldMappings:
  - columnName: CloudAppId
    identifier: AppId
tactics:
- CredentialAccess
- InitialAccess
query: |
  // Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
  // Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
  let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
  let query_frequency = 1h;
  let query_lookback = 14d;
  let historical_sign_in_activity = SigninLogs
      | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
  let historical_sign_in_locations = historical_sign_in_activity
      | summarize by Location;
  let multifactor_sign_in_count = toscalar(historical_sign_in_activity
      | where AppId in (appid_list) and ResultType == 0
      | where AuthenticationRequirement == "multiFactorAuthentication"
      | summarize count());
  SigninLogs
  | where TimeGenerated >= ago(query_frequency)
  | where AppId in (appid_list) and ResultType == 0
  | where multifactor_sign_in_count > 0
  | where Location !in (historical_sign_in_locations)
  | where NetworkLocationDetails !has "trustedNamedLocation"
  | summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
  | extend
      CloudAppId = 32780,
      AccountName = tostring(split(UserPrincipalName, "@")[0]),
      UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
  | project
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      CloudAppId,
      AccountName,
      UPNSuffix  
kind: Scheduled
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
queryFrequency: 1h

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/919e939f-95e2-4978-846e-13a721c89ea1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/919e939f-95e2-4978-846e-13a721c89ea1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.",
          "alertDisplayNameFormat": "Dynamics 365 F&O - Unusual sign-in without multi-factor authentication"
        },
        "alertRuleTemplateName": "919e939f-95e2-4978-846e-13a721c89ea1",
        "customDetails": null,
        "description": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.",
        "displayName": "F&O - Unusual sign-in activity using single factor authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml",
        "query": "// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\n// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000\nlet appid_list = dynamic([\"913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\", \"00000015-0000-0000-c000-000000000000\"]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet historical_sign_in_activity = SigninLogs\n    | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));\nlet historical_sign_in_locations = historical_sign_in_activity\n    | summarize by Location;\nlet multifactor_sign_in_count = toscalar(historical_sign_in_activity\n    | where AppId in (appid_list) and ResultType == 0\n    | where AuthenticationRequirement == \"multiFactorAuthentication\"\n    | summarize count());\nSigninLogs\n| where TimeGenerated >= ago(query_frequency)\n| where AppId in (appid_list) and ResultType == 0\n| where multifactor_sign_in_count > 0\n| where Location !in (historical_sign_in_locations)\n| where NetworkLocationDetails !has \"trustedNamedLocation\"\n| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location\n| extend\n    CloudAppId = 32780,\n    AccountName = tostring(split(UserPrincipalName, \"@\")[0]),\n    UPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n| project\n    UserPrincipalName,\n    AppDisplayName,\n    IPAddress,\n    Location,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1552"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}