Measurable Increase Of Successful Authentications
Detects when successful sign-ins increased by 10% or greater.
Sigma rule (View on GitHub)
1title: Measurable Increase Of Successful Authentications
2id: 67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae
3status: test
4description: Detects when successful sign-ins increased by 10% or greater.
5references:
6 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#monitoring-for-successful-unusual-sign-ins
7author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton
8date: 2022-08-11
9modified: 2022-08-18
10tags:
11 - attack.defense-evasion
12 - attack.t1078
13logsource:
14 product: azure
15 service: signinlogs
16detection:
17 selection:
18 Status: Success
19 Count: "<10%"
20 condition: selection
21falsepositives:
22 - Increase of users in the environment
23level: low
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Account Created And Deleted Within A Close Time Frame
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow