Sign-ins from IPs that attempt sign-ins to disabled accounts Uses Authentication Normalization
Id | 95002681-4ecb-4da3-9ece-26d7e5feaa33 |
Rulename | Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization) |
Description | Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the ASIM normalization parsers |
Severity | Medium |
Tactics | InitialAccess Persistence |
Techniques | T1078 T1098 |
Kind | Scheduled |
Query frequency | 1d |
Query period | 1d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml |
Version | 1.0.3 |
Arm template | 95002681-4ecb-4da3-9ece-26d7e5feaa33.json |
imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
, disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
, applicationsTargeted = dcount(TargetAppName)
, applicationSet = make_set(TargetAppName)
by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter
(
// Consider these IPs suspicious - and alert any related successful sign-ins
imAuthentication
| where EventResult=='Success'
| summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
// Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
| where successfulAccountSigninCount < 100
)
on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet,
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts
tags:
- Id: 500c103a-0319-4d56-8e99-3cec8d860757
version: 1.0.0
queryPeriod: 1d
name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
relevantTechniques:
- T1078
- T1098
metadata:
source:
kind: Community
requiredDataConnectors: []
severity: Medium
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
version: 1.0.3
tactics:
- InitialAccess
- Persistence
kind: Scheduled
query: |
imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
, disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
, applicationsTargeted = dcount(TargetAppName)
, applicationSet = make_set(TargetAppName)
by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter
(
// Consider these IPs suspicious - and alert any related successful sign-ins
imAuthentication
| where EventResult=='Success'
| summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
// Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
| where successfulAccountSigninCount < 100
)
on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet,
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcDvcIpAddr
triggerThreshold: 0
description: |
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
queryFrequency: 1d
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"apiVersion": "2024-01-01-preview",
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
"kind": "Scheduled",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
"properties": {
"alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33",
"customDetails": null,
"description": "'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
"displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
"enabled": true,
"entityMappings": [
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "SrcDvcIpAddr",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml",
"query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n , applicationsTargeted = dcount(TargetAppName)\n , applicationSet = make_set(TargetAppName) \n by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n (\n // Consider these IPs suspicious - and alert any related successful sign-ins\n imAuthentication\n | where EventResult=='Success'\n | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n | where successfulAccountSigninCount < 100\n )\n on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n",
"queryFrequency": "P1D",
"queryPeriod": "P1D",
"severity": "Medium",
"subTechniques": [],
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess",
"Persistence"
],
"tags": [
{
"Id": "500c103a-0319-4d56-8e99-3cec8d860757",
"version": "1.0.0"
}
],
"techniques": [
"T1078",
"T1098"
],
"templateVersion": "1.0.3",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0
},
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
}
]
}