Sign-ins from IPs that attempt sign-ins to disabled accounts Uses Authentication Normalization

Back


Id	95002681-4ecb-4da3-9ece-26d7e5feaa33
Rulename	Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Description	Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	InitialAccess Persistence
Techniques	T1078 T1098
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
Version	1.0.3
Arm template	95002681-4ecb-4da3-9ece-26d7e5feaa33.json

KQL

imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
      , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
      , applicationsTargeted = dcount(TargetAppName)
      , applicationSet = make_set(TargetAppName) 
      by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter 
    (
    // Consider these IPs suspicious - and alert any related  successful sign-ins
    imAuthentication
    | where EventResult=='Success'
    | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
    | where successfulAccountSigninCount < 100
    )
    on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts

YAML

tags:
- Id: 500c103a-0319-4d56-8e99-3cec8d860757
  version: 1.0.0
queryPeriod: 1d
name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
relevantTechniques:
- T1078
- T1098
metadata:
  source:
    kind: Community
requiredDataConnectors: []
severity: Medium
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
version: 1.0.3
tactics:
- InitialAccess
- Persistence
kind: Scheduled
query: |
  imAuthentication
  | where EventResult =='Failure'
  | where EventResultDetails == 'User disabled'
  | summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
        , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
        , applicationsTargeted = dcount(TargetAppName)
        , applicationSet = make_set(TargetAppName) 
        by SrcDvcIpAddr, Type
  | order by disabledAccountLoginAttempts desc
  | join kind=leftouter 
      (
      // Consider these IPs suspicious - and alert any related  successful sign-ins
      imAuthentication
      | where EventResult=='Success'
      | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
      // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
      | where successfulAccountSigninCount < 100
      )
      on SrcDvcIpAddr
  | where isnotempty(successfulAccountSigninCount)
  | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
  successfulAccountSigninCount, successfulAccountSigninSet, Type
  | order by disabledAccountLoginAttempts  
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcDvcIpAddr
triggerThreshold: 0
description: |
  'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
queryFrequency: 1d

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
      "properties": {
        "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33",
        "customDetails": null,
        "description": "'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
        "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcDvcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml",
        "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n      , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n      , applicationsTargeted = dcount(TargetAppName)\n      , applicationSet = make_set(TargetAppName) \n      by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n    (\n    // Consider these IPs suspicious - and alert any related  successful sign-ins\n    imAuthentication\n    | where EventResult=='Success'\n    | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n    | where successfulAccountSigninCount < 100\n    )\n    on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "Id": "500c103a-0319-4d56-8e99-3cec8d860757",
            "version": "1.0.0"
          }
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}