Anomalous Token

Sep 6, 2023 · attack.t1528 attack.credential_access ·

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Sigma rule (View on GitHub)

 1title: Anomalous Token
 2id: 6555754e-5e7f-4a67-ad1c-4041c413a007
 3status: experimental
 4description: Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#anomalous-token
 7    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow'
 9date: 2023/08/07
10tags:
11    - attack.t1528
12    - attack.credential_access
13logsource:
14    product: azure
15    service: riskdetection
16detection:
17    selection:
18        riskEventType: 'anomalousToken'
19    condition: selection
20falsepositives:
21    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
22level: high

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Explaining risk in Microsoft Entra ID Protection

Read More
Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Anomalous Token

Sigma rule (View on GitHub)

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules