Authentication Attempt from New Country

let known_locations =
  union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where ResultType == 0
  | summarize by Location;
  union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType != 50126
  | where Location !in (known_locations)
  | extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
  | extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
  | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
  | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
  | extend City = tostring(LocationDetails.city)
  | extend State = tostring(LocationDetails.state)
  | extend Place = strcat(City, " - ", State)
  | extend DeviceId = tostring(DeviceDetail.deviceId)
  | extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category

triggerOperator: gt
id: ef895ada-e8e8-4cf0-9313-b1ab67fab69f
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UserPrincipalName
    identifier: FullName
requiredDataConnectors:
- dataTypes:
  - SigninLogs
  - AADNonInteractiveUserSignInLogs
  connectorId: AzureActiveDirectory
severity: Medium
metadata:
  source:
    kind: Community
  categories:
    domains:
    - Security - Others
  support:
    tier: Community
  author:
    name: Pete Bryan
triggerThreshold: 0
kind: Scheduled
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml
query: |
  let known_locations =
    union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
    | where TimeGenerated between(ago(14d)..ago(1d))
    | where ResultType == 0
    | summarize by Location;
    union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
    | where TimeGenerated > ago(1d)
    | where ResultType != 50126
    | where Location !in (known_locations)
    | extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
    | extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
    | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
    | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
    | extend City = tostring(LocationDetails.city)
    | extend State = tostring(LocationDetails.state)
    | extend Place = strcat(City, " - ", State)
    | extend DeviceId = tostring(DeviceDetail.deviceId)
    | extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
    | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category  
description: |
  'Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.
    Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.
    Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
    Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'  
name: Authentication Attempt from New Country
relevantTechniques:
- T1078.004
tactics:
- InitialAccess
version: 1.0.1
tags:
- AADSecOpsGuide

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef895ada-e8e8-4cf0-9313-b1ab67fab69f')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef895ada-e8e8-4cf0-9313-b1ab67fab69f')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Authentication Attempt from New Country",
        "description": "'Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\n  Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\n  Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\n  Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
        "severity": "Medium",
        "enabled": true,
        "query": "let known_locations =\n  union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\n  | where TimeGenerated between(ago(14d)..ago(1d))\n  | where ResultType == 0\n  | summarize by Location;\n  union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\n  | where TimeGenerated > ago(1d)\n  | where ResultType != 50126\n  | where Location !in (known_locations)\n  | extend LocationDetails_dynamic = column_ifexists(\"LocationDetails_dynamic\", \"\")\n  | extend DeviceDetail_dynamic = column_ifexists(\"DeviceDetail_dynamic\", \"\")\n  | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\n  | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\n  | extend City = tostring(LocationDetails.city)\n  | extend State = tostring(LocationDetails.state)\n  | extend Place = strcat(City, \" - \", State)\n  | extend DeviceId = tostring(DeviceDetail.deviceId)\n  | extend Result = strcat(tostring(ResultType), \" - \", ResultDescription)\n  | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078.004"
        ],
        "alertRuleTemplateName": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f",
        "customDetails": null,
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "FullName",
                "columnName": "UserPrincipalName"
              }
            ],
            "entityType": "Account"
          }
        ],
        "templateVersion": "1.0.1",
        "tags": [
          "AADSecOpsGuide"
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml"
      }
    }
  ]
}