Suspicious Browser Activity

Aug 12, 2024 · attack.t1078 attack.persistence attack.defense-evasion attack.privilege-escalation attack.initial-access ·

Share on:

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Sigma rule (View on GitHub)

 1title: Suspicious Browser Activity
 2id: 944f6adb-7a99-4c69-80c1-b712579e93e6
 3status: test
 4description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
 7    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023-09-03
10tags:
11    - attack.t1078
12    - attack.persistence
13    - attack.defense-evasion
14    - attack.privilege-escalation
15    - attack.initial-access
16logsource:
17    product: azure
18    service: riskdetection
19detection:
20    selection:
21        riskEventType: 'suspiciousBrowser'
22    condition: selection
23falsepositives:
24    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
25level: high

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Explaining risk detections in Microsoft Entra ID Protection

Read More
Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Suspicious Browser Activity

Sigma rule (View on GitHub)

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules