Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Sigma rule (View on GitHub)
1title: Anomalous User Activity
2id: 258b6593-215d-4a26-a141-c8e31c1299a6
3status: test
4description: Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
5references:
6 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#anomalous-user-activity
7 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
9date: 2023-09-03
10tags:
11 - attack.privilege-escalation
12 - attack.t1098
13 - attack.persistence
14logsource:
15 product: azure
16 service: riskdetection
17detection:
18 selection:
19 riskEventType: 'anomalousUserActivity'
20 condition: selection
21falsepositives:
22 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
23level: high
References
-
Explore the full list of risk detections and their corresponding risk event types, along with a description of each risk event type.
Read More -
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- A Member Was Added to a Security-Enabled Global Group
- A Member Was Removed From a Security-Enabled Global Group
- A New Trust Was Created To A Domain
- A Security-Enabled Global Group Was Deleted
- AWS IAM Backdoor Users Keys