Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Authentications of Privileged Accounts Outside of Expected Controls

Back
Idaf435ca1-fb70-4de1-92c1-7435c48482a9
RulenameAuthentications of Privileged Accounts Outside of Expected Controls
DescriptionDetects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.

Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.

Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.

Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
SeverityMedium
TacticsInitialAccess
TechniquesT1078.004
Required data connectorsAzureActiveDirectory
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period7d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml
Version1.0.2
Arm templateaf435ca1-fb70-4de1-92c1-7435c48482a9.json
Deploy To Azure
let admin_users = (IdentityInfo
  | summarize arg_max(TimeGenerated, *) by AccountUPN
  | where AssignedRoles contains "admin"
  | summarize by tolower(AccountUPN));
  let admin_asn = (SigninLogs
  | where TimeGenerated between (ago(7d)..ago(1d))
  | where tolower(UserPrincipalName) in (admin_users)
  | summarize by AutonomousSystemNumber);
  let admin_locations = (SigninLogs
  | where TimeGenerated between (ago(7d)..ago(1d))
  | where tolower(UserPrincipalName) in (admin_users)
  | summarize by Location);
  let admin_devices = (SigninLogs
  | where TimeGenerated between (ago(7d)..ago(1d))
  | where tolower(UserPrincipalName) in (admin_users)
  | extend deviceId = tostring(DeviceDetail.deviceId)
  | where isnotempty(deviceId)
  | summarize by deviceId);
  SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | where tolower(UserPrincipalName) in (admin_users)
  | extend deviceId = tostring(DeviceDetail.deviceId)
  | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)
id: af435ca1-fb70-4de1-92c1-7435c48482a9
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  connectorId: AzureActiveDirectory
- dataTypes:
  - BehaviorAnalytics
  connectorId: BehaviorAnalytics
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
description: |
  'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.
    Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.
    Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'  
severity: Medium
queryPeriod: 7d
kind: Scheduled
tags:
- AADSecOpsGuide
tactics:
- InitialAccess
queryFrequency: 1d
query: |
  let admin_users = (IdentityInfo
    | summarize arg_max(TimeGenerated, *) by AccountUPN
    | where AssignedRoles contains "admin"
    | summarize by tolower(AccountUPN));
    let admin_asn = (SigninLogs
    | where TimeGenerated between (ago(7d)..ago(1d))
    | where tolower(UserPrincipalName) in (admin_users)
    | summarize by AutonomousSystemNumber);
    let admin_locations = (SigninLogs
    | where TimeGenerated between (ago(7d)..ago(1d))
    | where tolower(UserPrincipalName) in (admin_users)
    | summarize by Location);
    let admin_devices = (SigninLogs
    | where TimeGenerated between (ago(7d)..ago(1d))
    | where tolower(UserPrincipalName) in (admin_users)
    | extend deviceId = tostring(DeviceDetail.deviceId)
    | where isnotempty(deviceId)
    | summarize by deviceId);
    SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType == 0
    | where tolower(UserPrincipalName) in (admin_users)
    | extend deviceId = tostring(DeviceDetail.deviceId)
    | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)  
version: 1.0.2
triggerThreshold: 0
name: Authentications of Privileged Accounts Outside of Expected Controls
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
relevantTechniques:
- T1078.004
metadata:
  support:
    tier: Community
  categories:
    domains:
    - Security - Others
    - Identity
  author:
    name: Pete Bryan
  source:
    kind: Community
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/af435ca1-fb70-4de1-92c1-7435c48482a9')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/af435ca1-fb70-4de1-92c1-7435c48482a9')]",
      "properties": {
        "alertRuleTemplateName": "af435ca1-fb70-4de1-92c1-7435c48482a9",
        "customDetails": null,
        "description": "'Detects when a privileged user account successfully authenticates from a location, device or ASN that another admin has not logged in from in the last 7 days.\n  Privileged accounts are a key target for threat actors, monitoring for logins from these accounts that deviate from normal activity can help identify compromised accounts.\n  Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins'\n",
        "displayName": "Authentications of Privileged Accounts Outside of Expected Controls",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "UserPrincipalName",
                "identifier": "FullName"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationsofPrivilegedAccountsOutsideofExpectedControls.yaml",
        "query": "let admin_users = (IdentityInfo\n  | summarize arg_max(TimeGenerated, *) by AccountUPN\n  | where AssignedRoles contains \"admin\"\n  | summarize by tolower(AccountUPN));\n  let admin_asn = (SigninLogs\n  | where TimeGenerated between (ago(7d)..ago(1d))\n  | where tolower(UserPrincipalName) in (admin_users)\n  | summarize by AutonomousSystemNumber);\n  let admin_locations = (SigninLogs\n  | where TimeGenerated between (ago(7d)..ago(1d))\n  | where tolower(UserPrincipalName) in (admin_users)\n  | summarize by Location);\n  let admin_devices = (SigninLogs\n  | where TimeGenerated between (ago(7d)..ago(1d))\n  | where tolower(UserPrincipalName) in (admin_users)\n  | extend deviceId = tostring(DeviceDetail.deviceId)\n  | where isnotempty(deviceId)\n  | summarize by deviceId);\n  SigninLogs\n  | where TimeGenerated > ago(1d)\n  | where ResultType == 0\n  | where tolower(UserPrincipalName) in (admin_users)\n  | extend deviceId = tostring(DeviceDetail.deviceId)\n  | where AutonomousSystemNumber !in (admin_asn) and deviceId !in (admin_devices) and Location !in (admin_locations)\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P7D",
        "severity": "Medium",
        "subTechniques": [
          "T1078.004"
        ],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "tags": [
          "AADSecOpsGuide"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.2",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}