GitHub Signin Burst from Multiple Locations
Id | d3980830-dd9d-40a5-911f-76b44dfdce16 |
Rulename | GitHub Signin Burst from Multiple Locations |
Description | This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO). This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. |
Severity | Medium |
Tactics | CredentialAccess |
Techniques | T1110 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1h |
Query period | 1h |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml |
Version | 1.0.1 |
Arm template | d3980830-dd9d-40a5-911f-76b44dfdce16.json |
let locationThreshold = 1;
let aadFunc = (tableName:string){
table(tableName)
| where AppDisplayName =~ "GitHub.com"
| where ResultType == 0
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type
| where CountOfLocations > locationThreshold
| extend timestamp = BurstStartTime
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
triggerOperator: gt
queryFrequency: 1h
name: GitHub Signin Burst from Multiple Locations
queryPeriod: 1h
id: d3980830-dd9d-40a5-911f-76b44dfdce16
description: |
'This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).
This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. '
severity: Medium
query: |
let locationThreshold = 1;
let aadFunc = (tableName:string){
table(tableName)
| where AppDisplayName =~ "GitHub.com"
| where ResultType == 0
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type
| where CountOfLocations > locationThreshold
| extend timestamp = BurstStartTime
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])
triggerThreshold: 0
version: 1.0.1
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml
entityMappings:
- entityType: Account
fieldMappings:
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
relevantTechniques:
- T1110
tactics:
- CredentialAccess
status: Available
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/d3980830-dd9d-40a5-911f-76b44dfdce16')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/d3980830-dd9d-40a5-911f-76b44dfdce16')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "GitHub Signin Burst from Multiple Locations",
"description": "'This detection triggers when there is a Signin burst from multiple locations in GitHub (AAD SSO).\n This detection is based on configurable threshold which can be prone to false positives. To view the anomaly based equivalent of thie detection, please see here https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure%20Active%20Directory/Analytic%20Rules/AnomalousUserAppSigninLocationIncrease-detection.yaml. '\n",
"severity": "Medium",
"enabled": true,
"query": "let locationThreshold = 1;\nlet aadFunc = (tableName:string){\ntable(tableName)\n| where AppDisplayName =~ \"GitHub.com\"\n| where ResultType == 0\n| summarize CountOfLocations = dcount(Location), Locations = make_set(Location,100), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName, Type\n| where CountOfLocations > locationThreshold\n| extend timestamp = BurstStartTime\n};\nlet aadSignin = aadFunc(\"SigninLogs\");\nlet aadNonInt = aadFunc(\"AADNonInteractiveUserSignInLogs\");\nunion isfuzzy=true aadSignin, aadNonInt\n| extend Name = tostring(split(UserPrincipalName,'@',0)[0]), UPNSuffix = tostring(split(UserPrincipalName,'@',1)[0])\n",
"queryFrequency": "PT1H",
"queryPeriod": "PT1H",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"CredentialAccess"
],
"techniques": [
"T1110"
],
"alertRuleTemplateName": "d3980830-dd9d-40a5-911f-76b44dfdce16",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "Name"
},
{
"identifier": "UPNSuffix",
"columnName": "UPNSuffix"
}
],
"entityType": "Account"
}
],
"status": "Available",
"templateVersion": "1.0.1",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory/Analytic Rules/Sign-in Burst from Multiple Locations.yaml"
}
}
]
}