Suspicious Browser Activity
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Sigma rule (View on GitHub)
1title: Suspicious Browser Activity
2id: 944f6adb-7a99-4c69-80c1-b712579e93e6
3status: test
4description: Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
5references:
6 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#suspicious-browser
7 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
9date: 2023-09-03
10tags:
11 - attack.stealth
12 - attack.t1078
13 - attack.persistence
14 - attack.privilege-escalation
15 - attack.initial-access
16logsource:
17 product: azure
18 service: riskdetection
19detection:
20 selection:
21 riskEventType: 'suspiciousBrowser'
22 condition: selection
23falsepositives:
24 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
25level: high
References
-
Explore the full list of risk detections and their corresponding risk event types, along with a description of each risk event type.
Read More -
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- AWS Key Pair Import Activity
- AWS Suspicious SAML Activity
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address