Anomolous Single Factor Signin
| Id | f7c3f5c8-71ea-49ff-b8b3-148f0e346291 |
| Rulename | Anomolous Single Factor Signin |
| Description | Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in |
| Severity | Low |
| Tactics | InitialAccess |
| Techniques | T1078.004 |
| Required data connectors | AzureActiveDirectory |
| Kind | Scheduled |
| Query frequency | 1d |
| Query period | 7d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml |
| Version | 1.0.2 |
| Arm template | f7c3f5c8-71ea-49ff-b8b3-148f0e346291.json |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
name: Anomolous Single Factor Signin
query: |
let known_locations = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| summarize by LocationDetail);
let known_asn = (SigninLogs
| where TimeGenerated between(ago(7d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where isempty(DeviceDetail.deviceId)
| where AuthenticationRequirement == "singleFactorAuthentication"
| extend LocationDetail = strcat(Location, "-", LocationDetails.state)
| where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)
metadata:
source:
kind: Community
author:
name: Pete Bryan
categories:
domains:
- Security - Others
support:
tier: Community
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml
queryFrequency: 1d
triggerThreshold: 0
requiredDataConnectors:
- dataTypes:
- SigninLogs
connectorId: AzureActiveDirectory
version: 1.0.2
queryPeriod: 7d
id: f7c3f5c8-71ea-49ff-b8b3-148f0e346291
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: Name
columnName: UserPrincipalName
entityType: Account
- fieldMappings:
- identifier: Address
columnName: IPAddress
entityType: IP
tags:
- AADSecOpsGuide
relevantTechniques:
- T1078.004
severity: Low
description: |
'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.
Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.
Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'
kind: Scheduled
tactics:
- InitialAccess
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f7c3f5c8-71ea-49ff-b8b3-148f0e346291')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01",
"properties": {
"displayName": "Anomolous Single Factor Signin",
"description": "'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal.\n Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess.\n Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in'\n",
"severity": "Low",
"enabled": true,
"query": "let known_locations = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | summarize by LocationDetail);\n let known_asn = (SigninLogs\n | where TimeGenerated between(ago(7d)..ago(1d))\n | where ResultType == 0\n | summarize by AutonomousSystemNumber);\n SigninLogs\n | where TimeGenerated > ago(1d)\n | where ResultType == 0\n | where isempty(DeviceDetail.deviceId)\n | where AuthenticationRequirement == \"singleFactorAuthentication\"\n | extend LocationDetail = strcat(Location, \"-\", LocationDetails.state)\n | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations)\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078.004"
],
"alertRuleTemplateName": "f7c3f5c8-71ea-49ff-b8b3-148f0e346291",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "Name",
"columnName": "UserPrincipalName"
}
],
"entityType": "Account"
},
{
"fieldMappings": [
{
"identifier": "Address",
"columnName": "IPAddress"
}
],
"entityType": "IP"
}
],
"tags": [
"AADSecOpsGuide"
],
"templateVersion": "1.0.2",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Detections/SigninLogs/AnomolousSingleFactorSignin.yaml"
}
}
]
}