Successful Authentications From Countries You Do Not Operate Out Of

Oct 23, 2025 · attack.privilege-escalation attack.persistence attack.defense-evasion attack.initial-access attack.credential-access attack.t1078.004 attack.t1110 ·

Share on:

Detect successful authentications from countries you do not operate out of.

Sigma rule (View on GitHub)

 1title: Successful Authentications From Countries You Do Not Operate Out Of
 2id: 8c944ecb-6970-4541-8496-be554b8e2846
 3status: test
 4description: Detect successful authentications from countries you do not operate out of.
 5references:
 6    - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
 7author: MikeDuddington, '@dudders1'
 8date: 2022-07-28
 9tags:
10    - attack.privilege-escalation
11    - attack.persistence
12    - attack.defense-evasion
13    - attack.initial-access
14    - attack.credential-access
15    - attack.t1078.004
16    - attack.t1110
17logsource:
18    product: azure
19    service: signinlogs
20detection:
21    selection:
22        Status: 'Success'
23    filter:
24        Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
25    condition: selection and not filter
26falsepositives:
27    - If this was approved by System Administrator.
28level: medium

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Successful Authentications From Countries You Do Not Operate Out Of

Sigma rule (View on GitHub)

References

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules