cloudflare/Azure-Sentinel
Publicmirrored fromhttps://github.com/cloudflare/Azure-Sentinel
Detections/SigninLogs/AnomolousSingleFactorSignin.yaml
49lines · modecode
Added new detections and hunting queries for the AAD Sec Ops Guide Removed URL localization from queries Repleaced incorrect 'scheduled' with 'Scheduled'9bcef98
3 years ago
| 1 | id: f7c3f5c8-71ea-49ff-b8b3-148f0e346291 |
| 2 | name: Anomolous Single Factor Signin |
| 3 | description: | |
| 4 | 'Detects successful signins using single factor authentication where the device, location, and ASN are abnormal. |
| 5 | Single factor authentications pose an opportunity to access compromised accounts, investigate these for anomalous occurrencess. |
| 6 | Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-devices#non-compliant-device-sign-in' |
| 7 | severity: Low |
| 8 | requiredDataConnectors: |
| 9 | - connectorId: AzureActiveDirectory |
| 10 | dataTypes: |
| 11 | - SigninLogs |
| 12 | queryFrequency: 1d |
| 13 | queryPeriod: 7d |
| 14 | triggerOperator: gt |
| 15 | triggerThreshold: 0 |
| 16 | tactics: |
| 17 | - InitialAccess |
| 18 | relevantTechniques: |
| 19 | - T1078.004 |
| 20 | tags: |
| 21 | - AADSecOpsGuide |
| 22 | query: | |
| 23 | let known_locations = (SigninLogs |
| 24 | | where TimeGenerated between(ago(7d)..ago(1d)) |
| 25 | | where ResultType == 0 |
| 26 | | extend LocationDetail = strcat(Location, "-", LocationDetails.state) |
| 27 | | summarize by LocationDetail); |
| 28 | let known_asn = (SigninLogs |
| 29 | | where TimeGenerated between(ago(7d)..ago(1d)) |
| 30 | | where ResultType == 0 |
| 31 | | summarize by AutonomousSystemNumber); |
| 32 | SigninLogs |
| 33 | | where TimeGenerated > ago(1d) |
| 34 | | where ResultType == 0 |
| 35 | | where isempty(DeviceDetail.deviceId) |
| 36 | | where AuthenticationRequirement == "singleFactorAuthentication" |
| 37 | | extend LocationDetail = strcat(Location, "-", LocationDetails.state) |
| 38 | | where AutonomousSystemNumber !in (known_asn) and LocationDetail !in (known_locations) |
| 39 | entityMappings: |
| 40 | - entityType: Account |
| 41 | fieldMappings: |
| 42 | - identifier: Name |
| 43 | columnName: UserPrincipalName |
| 44 | - entityType: IP |
| 45 | fieldMappings: |
| 46 | - identifier: Address |
| 47 | columnName: IpAddress |
| 48 | version: 1.0.0 |
| 49 | kind: Scheduled |