Unfamiliar Sign-In Properties
Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
Sigma rule (View on GitHub)
1title: Unfamiliar Sign-In Properties
2id: 128faeef-79dd-44ca-b43c-a9e236a60f49
3status: experimental
4description: Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#unfamiliar-sign-in-properties
7 - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
9date: 2023/09/03
10tags:
11 - attack.t1078
12 - attack.persistence
13 - attack.defense_evasion
14 - attack.privilege_escalation
15 - attack.initial_access
16logsource:
17 product: azure
18 service: riskdetection
19detection:
20 selection:
21 riskEventType: 'unfamiliarFeatures'
22 condition: selection
23falsepositives:
24 - User changing to a new device, location, browser, etc.
25level: high
References
Related rules
- Activity From Anonymous IP Address
- Atypical Travel
- New Country
- Suspicious Browser Activity
- Suspicious 'Admin' Local User Creation with Net Command