Authentication Attempt from New Country
Id | ef895ada-e8e8-4cf0-9313-b1ab67fab69f |
Rulename | Authentication Attempt from New Country |
Description | Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days. Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts. Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins |
Severity | Medium |
Tactics | InitialAccess |
Techniques | T1078.004 |
Required data connectors | AzureActiveDirectory |
Kind | Scheduled |
Query frequency | 1d |
Query period | 14d |
Trigger threshold | 0 |
Trigger operator | gt |
Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml |
Version | 1.0.1 |
Arm template | ef895ada-e8e8-4cf0-9313-b1ab67fab69f.json |
let known_locations =
union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by Location;
union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType != 50126
| where Location !in (known_locations)
| extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
| extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
| extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
| extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Place = strcat(City, " - ", State)
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category
triggerOperator: gt
id: ef895ada-e8e8-4cf0-9313-b1ab67fab69f
queryFrequency: 1d
entityMappings:
- entityType: Account
fieldMappings:
- columnName: UserPrincipalName
identifier: FullName
requiredDataConnectors:
- dataTypes:
- SigninLogs
- AADNonInteractiveUserSignInLogs
connectorId: AzureActiveDirectory
severity: Medium
metadata:
source:
kind: Community
categories:
domains:
- Security - Others
support:
tier: Community
author:
name: Pete Bryan
triggerThreshold: 0
kind: Scheduled
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml
query: |
let known_locations =
union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by Location;
union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType != 50126
| where Location !in (known_locations)
| extend LocationDetails_dynamic = column_ifexists("LocationDetails_dynamic", "")
| extend DeviceDetail_dynamic = column_ifexists("DeviceDetail_dynamic", "")
| extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))
| extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))
| extend City = tostring(LocationDetails.city)
| extend State = tostring(LocationDetails.state)
| extend Place = strcat(City, " - ", State)
| extend DeviceId = tostring(DeviceDetail.deviceId)
| extend Result = strcat(tostring(ResultType), " - ", ResultDescription)
| summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category
description: |
'Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.
Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.
Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'
name: Authentication Attempt from New Country
relevantTechniques:
- T1078.004
tactics:
- InitialAccess
version: 1.0.1
tags:
- AADSecOpsGuide
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/ef895ada-e8e8-4cf0-9313-b1ab67fab69f')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/ef895ada-e8e8-4cf0-9313-b1ab67fab69f')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Authentication Attempt from New Country",
"description": "'Detects when there is a log in attempt from a country that has not seen a successful login in the previous 14 days.\n Threat actors may attempt to authenticate with credentials from compromised accounts - monitoring attempts from anomalous locations may help identify these attempts.\n Authentication attempts should be investigated to ensure the activity was legitimate and if there is other similar activity.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins'\n",
"severity": "Medium",
"enabled": true,
"query": "let known_locations =\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\n | where TimeGenerated between(ago(14d)..ago(1d))\n | where ResultType == 0\n | summarize by Location;\n union isfuzzy=True AADNonInteractiveUserSignInLogs, SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType != 50126\n | where Location !in (known_locations)\n | extend LocationDetails_dynamic = column_ifexists(\"LocationDetails_dynamic\", \"\")\n | extend DeviceDetail_dynamic = column_ifexists(\"DeviceDetail_dynamic\", \"\")\n | extend LocationDetails = iif(isnotempty(LocationDetails_dynamic), LocationDetails_dynamic, parse_json(LocationDetails_string))\n | extend DeviceDetail = iif(isnotempty(DeviceDetail_dynamic), DeviceDetail_dynamic, parse_json(DeviceDetail_string))\n | extend City = tostring(LocationDetails.city)\n | extend State = tostring(LocationDetails.state)\n | extend Place = strcat(City, \" - \", State)\n | extend DeviceId = tostring(DeviceDetail.deviceId)\n | extend Result = strcat(tostring(ResultType), \" - \", ResultDescription)\n | summarize FirstSeen=min(TimeGenerated), LastSeen=max(TimeGenerated), make_set(Result), make_set(IPAddress), make_set(UserAgent), make_set(Place), make_set(DeviceId) by UserPrincipalName, Location, Category\n",
"queryFrequency": "P1D",
"queryPeriod": "P14D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "ef895ada-e8e8-4cf0-9313-b1ab67fab69f",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "UserPrincipalName"
}
],
"entityType": "Account"
}
],
"templateVersion": "1.0.1",
"tags": [
"AADSecOpsGuide"
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AuthenticationAttemptfromNewCountry.yaml"
}
}
]
}