Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sign-ins from IPs that attempt sign-ins to disabled accounts Uses Authentication Normalization

Back
Id95002681-4ecb-4da3-9ece-26d7e5feaa33
RulenameSign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
DescriptionIdentifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.

To use this analytics rule, make sure you have deployed the ASIM normalization parsers
SeverityMedium
TacticsInitialAccess
Persistence
TechniquesT1078
T1098
KindScheduled
Query frequency1d
Query period1d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
Version1.0.3
Arm template95002681-4ecb-4da3-9ece-26d7e5feaa33.json
Deploy To Azure
imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
      , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
      , applicationsTargeted = dcount(TargetAppName)
      , applicationSet = make_set(TargetAppName) 
      by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter 
    (
    // Consider these IPs suspicious - and alert any related  successful sign-ins
    imAuthentication
    | where EventResult=='Success'
    | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
    | where successfulAccountSigninCount < 100
    )
    on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts
kind: Scheduled
query: |
  imAuthentication
  | where EventResult =='Failure'
  | where EventResultDetails == 'User disabled'
  | summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
        , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
        , applicationsTargeted = dcount(TargetAppName)
        , applicationSet = make_set(TargetAppName) 
        by SrcDvcIpAddr, Type
  | order by disabledAccountLoginAttempts desc
  | join kind=leftouter 
      (
      // Consider these IPs suspicious - and alert any related  successful sign-ins
      imAuthentication
      | where EventResult=='Success'
      | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
      // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
      | where successfulAccountSigninCount < 100
      )
      on SrcDvcIpAddr
  | where isnotempty(successfulAccountSigninCount)
  | project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, 
  successfulAccountSigninCount, successfulAccountSigninSet, Type
  | order by disabledAccountLoginAttempts  
relevantTechniques:
- T1078
- T1098
entityMappings:
- entityType: IP
  fieldMappings:
  - columnName: SrcDvcIpAddr
    identifier: Address
triggerOperator: gt
triggerThreshold: 0
queryPeriod: 1d
tactics:
- InitialAccess
- Persistence
id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
requiredDataConnectors: []
tags:
- Id: 500c103a-0319-4d56-8e99-3cec8d860757
  version: 1.0.0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml
description: |
  'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
  To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'  
queryFrequency: 1d
name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
severity: Medium
version: 1.0.3
metadata:
  source:
    kind: Community
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/95002681-4ecb-4da3-9ece-26d7e5feaa33')]",
      "properties": {
        "alertRuleTemplateName": "95002681-4ecb-4da3-9ece-26d7e5feaa33",
        "customDetails": null,
        "description": "'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.\nTo use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'\n",
        "displayName": "Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "SrcDvcIpAddr",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/ASimAuthentication/imSigninAttemptsByIPviaDisabledAccounts.yaml",
        "query": "imAuthentication\n| where EventResult =='Failure'\n| where EventResultDetails == 'User disabled'\n| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()\n      , disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)\n      , applicationsTargeted = dcount(TargetAppName)\n      , applicationSet = make_set(TargetAppName) \n      by SrcDvcIpAddr, Type\n| order by disabledAccountLoginAttempts desc\n| join kind=leftouter \n    (\n    // Consider these IPs suspicious - and alert any related  successful sign-ins\n    imAuthentication\n    | where EventResult=='Success'\n    | summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type\n    // Assume IPs associated with sign-ins from 100+ distinct user accounts are safe\n    | where successfulAccountSigninCount < 100\n    )\n    on SrcDvcIpAddr\n| where isnotempty(successfulAccountSigninCount)\n| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet, \nsuccessfulAccountSigninCount, successfulAccountSigninSet, Type\n| order by disabledAccountLoginAttempts\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P1D",
        "severity": "Medium",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "Persistence"
        ],
        "tags": [
          {
            "Id": "500c103a-0319-4d56-8e99-3cec8d860757",
            "version": "1.0.0"
          }
        ],
        "techniques": [
          "T1078",
          "T1098"
        ],
        "templateVersion": "1.0.3",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}