Sign-ins from IPs that attempt sign-ins to disabled accounts Uses Authentication Normalization

Back


Id	95002681-4ecb-4da3-9ece-26d7e5feaa33
Rulename	Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
Description	Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the ASIM normalization parsers
Severity	Medium
Tactics	InitialAccess Persistence
Techniques	T1078 T1098
Kind	Scheduled
Query frequency	1d
Query period	1d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
Version	1.0.3
Arm template	95002681-4ecb-4da3-9ece-26d7e5feaa33.json

KQL

imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
      , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
      , applicationsTargeted = dcount(TargetAppName)
      , applicationSet = make_set(TargetAppName) 
      by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter 
    (
    // Consider these IPs suspicious - and alert any related  successful sign-ins
    imAuthentication
    | where EventResult=='Success'
    | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
    | where successfulAccountSigninCount < 100
    )
    on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts

YAML

id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
tags:
- version: 1.0.0
  Id: 500c103a-0319-4d56-8e99-3cec8d860757
requiredDataConnectors: []
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcDvcIpAddr
description: |
  'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
query: |
  imAuthentication
  | where EventResult =='Failure'
  | where EventResultDetails == 'User disabled'
  | summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
        , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
        , applicationsTargeted = dcount(TargetAppName)
        , applicationSet = make_set(TargetAppName) 
        by SrcDvcIpAddr, Type
  | order by disabledAccountLoginAttempts desc
  | join kind=leftouter 
      (
      // Consider these IPs suspicious - and alert any related  successful sign-ins
      imAuthentication
      | where EventResult=='Success'
      | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
      // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
      | where successfulAccountSigninCount < 100
      )
      on SrcDvcIpAddr
  | where isnotempty(successfulAccountSigninCount)
  | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
  successfulAccountSigninCount, successfulAccountSigninSet, Type
  | order by disabledAccountLoginAttempts  
severity: Medium
triggerThreshold: 0
queryPeriod: 1d
queryFrequency: 1d
triggerOperator: gt
kind: Scheduled
tactics:
- InitialAccess
- Persistence
relevantTechniques:
- T1078
- T1098
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
version: 1.0.3
metadata:
  source:
    kind: Community

ARM

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
      "properties": {
        "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33",
        "customDetails": null,
        "description": "'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
        "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcDvcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml",
        "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n      , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n      , applicationsTargeted = dcount(TargetAppName)\n      , applicationSet = make_set(TargetAppName) \n      by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n    (\n    // Consider these IPs suspicious - and alert any related  successful sign-ins\n    imAuthentication\n    | where EventResult=='Success'\n    | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n    | where successfulAccountSigninCount < 100\n    )\n    on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "Id": "500c103a-0319-4d56-8e99-3cec8d860757",
            "version": "1.0.0"
          }
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}