Anomolous Single Factor Signin
| Id | f7c3f5c8-71ea-49ff-b8b3-148f0e346291 |
| Rulename | Anomolous Single Factor Signin |
| Description | Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in |
| Severity | Low |
| Tactics | InitialAccess |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml |
| Version | 1.0.2 |
| Arm template | f7c3f5c8-71ea-49ff-b8b3-148f0e346291.json |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
metadata:
author:
name: Pete Bryan
support:
tier: Community
source:
kind: Community
categories:
domains:
- Security - Others
severity: Low
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml
description: |
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
tags:
- AADSecOpsGuide
triggerOperator: gt
queryPeriod: 7d
requiredDataConnectors:
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
queryFrequency: 1d
triggerThreshold: 0
tactics:
- InitialAccess
query: |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
kind: Scheduled
relevantTechniques:
- T1078.004
version: 1.0.2
id: f7c3f5c8-71ea-49ff-b8b3-148f0e346291
entityMappings:
- fieldMappings:
- columnName: UserPrincipalName
identifier: Name
entityType: Account
- fieldMappings:
- columnName: IPAddress
identifier: Address
entityType: IP
name: Anomolous Single Factor Signin
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "Anomolous Single Factor Signin",
"description": "'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'\n",
"severity": "Low",
"enabled": true,
"query": "let known_locations = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | summarize by LocationDetail);\n let known_asn = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | summarize by AutonomousSystemNumber);\n SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType == 0\n | where isempty(DeviceDetail.deviceId)\n | where AuthenticationRequirement == \"singleFactorAuthentication\"\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "f7c3f5c8-71ea-49ff-b8b3-148f0e346291",
"customDetails": null,
"entityMappings": [
{
"entityType": "Account",
"fieldMappings": [
{
"columnName": "UserPrincipalName",
"identifier": "Name"
}
]
},
{
"entityType": "IP",
"fieldMappings": [
{
"columnName": "IPAddress",
"identifier": "Address"
}
]
}
],
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml",
"tags": [
"AADSecOpsGuide"
],
"templateVersion": "1.0.2"
}
}
]
}