Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

FO - Unusual sign-in activity using single factor authentication

Back
Id919e939f-95e2-4978-846e-13a721c89ea1
RulenameF&O - Unusual sign-in activity using single factor authentication
DescriptionIdentifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.
SeverityLow
TacticsCredentialAccess
InitialAccess
TechniquesT1552
T1078
Required data connectorsAzureActiveDirectory
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
Version3.2.0
Arm template919e939f-95e2-4978-846e-13a721c89ea1.json
Deploy To Azure
// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
let query_frequency = 1h;
let query_lookback = 14d;
let historical_sign_in_activity = SigninLogs
    | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
let historical_sign_in_locations = historical_sign_in_activity
    | summarize by Location;
let multifactor_sign_in_count = toscalar(historical_sign_in_activity
    | where AppId in (appid_list) and ResultType == 0
    | where AuthenticationRequirement == "multiFactorAuthentication"
    | summarize count());
SigninLogs
| where TimeGenerated >= ago(query_frequency)
| where AppId in (appid_list) and ResultType == 0
| where multifactor_sign_in_count > 0
| where Location !in (historical_sign_in_locations)
| where NetworkLocationDetails !has "trustedNamedLocation"
| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
| extend
    CloudAppId = 32780,
    AccountName = tostring(split(UserPrincipalName, "@")[0]),
    UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
| project
    UserPrincipalName,
    AppDisplayName,
    IPAddress,
    Location,
    CloudAppId,
    AccountName,
    UPNSuffix
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountName
  - identifier: UPNSuffix
    columnName: UPNSuffix
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPAddress
- entityType: CloudApplication
  fieldMappings:
  - identifier: AppId
    columnName: CloudAppId
queryFrequency: 1h
name: F&O - Unusual sign-in activity using single factor authentication
alertDetailsOverride:
  alertDisplayNameFormat: Dynamics 365 F&O - Unusual sign-in without multi-factor authentication
  alertDescriptionFormat: Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.
kind: Scheduled
tactics:
- CredentialAccess
- InitialAccess
triggerThreshold: 0
query: |
  // Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0
  // Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000
  let appid_list = dynamic(["913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0", "00000015-0000-0000-c000-000000000000"]);
  let query_frequency = 1h;
  let query_lookback = 14d;
  let historical_sign_in_activity = SigninLogs
      | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));
  let historical_sign_in_locations = historical_sign_in_activity
      | summarize by Location;
  let multifactor_sign_in_count = toscalar(historical_sign_in_activity
      | where AppId in (appid_list) and ResultType == 0
      | where AuthenticationRequirement == "multiFactorAuthentication"
      | summarize count());
  SigninLogs
  | where TimeGenerated >= ago(query_frequency)
  | where AppId in (appid_list) and ResultType == 0
  | where multifactor_sign_in_count > 0
  | where Location !in (historical_sign_in_locations)
  | where NetworkLocationDetails !has "trustedNamedLocation"
  | summarize by UserPrincipalName, AppDisplayName, IPAddress, Location
  | extend
      CloudAppId = 32780,
      AccountName = tostring(split(UserPrincipalName, "@")[0]),
      UPNSuffix = tostring(split(UserPrincipalName, "@")[1])
  | project
      UserPrincipalName,
      AppDisplayName,
      IPAddress,
      Location,
      CloudAppId,
      AccountName,
      UPNSuffix  
relevantTechniques:
- T1552
- T1078
triggerOperator: gt
queryPeriod: 14d
eventGroupingSettings:
  aggregationKind: SingleAlert
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml
severity: Low
status: Available
id: 919e939f-95e2-4978-846e-13a721c89ea1
requiredDataConnectors:
- connectorId: AzureActiveDirectory
  dataTypes:
  - SigninLogs
version: 3.2.0
description: Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/919e939f-95e2-4978-846e-13a721c89ea1')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/919e939f-95e2-4978-846e-13a721c89ea1')]",
      "properties": {
        "alertDetailsOverride": {
          "alertDescriptionFormat": "Successful sign in by {{UserPrincipalName}} to {{AppDisplayName}} from location {{Location}} which has not been seen before in the last 14 days.",
          "alertDisplayNameFormat": "Dynamics 365 F&O - Unusual sign-in without multi-factor authentication"
        },
        "alertRuleTemplateName": "919e939f-95e2-4978-846e-13a721c89ea1",
        "customDetails": null,
        "description": "Identifies sucessful sign-in events to Finance & Operations and Lifecycle Services using single factor/password authentication. Sign-in events from tenants not using MFA, coming from a Microsoft Entra trusted network location, or from geolocations seen previously in the last 14 days are excluded.",
        "displayName": "F&O - Unusual sign-in activity using single factor authentication",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountName",
                "identifier": "Name"
              },
              {
                "columnName": "UPNSuffix",
                "identifier": "UPNSuffix"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPAddress",
                "identifier": "Address"
              }
            ]
          },
          {
            "entityType": "CloudApplication",
            "fieldMappings": [
              {
                "columnName": "CloudAppId",
                "identifier": "AppId"
              }
            ]
          }
        ],
        "eventGroupingSettings": {
          "aggregationKind": "SingleAlert"
        },
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Microsoft Business Applications/Analytic Rules/F&O - Unusual sign-in activity using single factor authentication.yaml",
        "query": "// Dynamics Lifecycle services: 913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\n// Microsoft Dynamics ERP: 00000015-0000-0000-c000-000000000000\nlet appid_list = dynamic([\"913c6de4-2a4a-4a61-a9ce-945d2b2ce2e0\", \"00000015-0000-0000-c000-000000000000\"]);\nlet query_frequency = 1h;\nlet query_lookback = 14d;\nlet historical_sign_in_activity = SigninLogs\n    | where TimeGenerated between (ago(query_lookback) .. ago(query_frequency));\nlet historical_sign_in_locations = historical_sign_in_activity\n    | summarize by Location;\nlet multifactor_sign_in_count = toscalar(historical_sign_in_activity\n    | where AppId in (appid_list) and ResultType == 0\n    | where AuthenticationRequirement == \"multiFactorAuthentication\"\n    | summarize count());\nSigninLogs\n| where TimeGenerated >= ago(query_frequency)\n| where AppId in (appid_list) and ResultType == 0\n| where multifactor_sign_in_count > 0\n| where Location !in (historical_sign_in_locations)\n| where NetworkLocationDetails !has \"trustedNamedLocation\"\n| summarize by UserPrincipalName, AppDisplayName, IPAddress, Location\n| extend\n    CloudAppId = 32780,\n    AccountName = tostring(split(UserPrincipalName, \"@\")[0]),\n    UPNSuffix = tostring(split(UserPrincipalName, \"@\")[1])\n| project\n    UserPrincipalName,\n    AppDisplayName,\n    IPAddress,\n    Location,\n    CloudAppId,\n    AccountName,\n    UPNSuffix\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "Low",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "CredentialAccess",
          "InitialAccess"
        ],
        "techniques": [
          "T1078",
          "T1552"
        ],
        "templateVersion": "3.2.0",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}