Successful Authentications From Countries You Do Not Operate Out Of
Detect successful authentications from countries you do not operate out of.
Sigma rule (View on GitHub)
1title: Successful Authentications From Countries You Do Not Operate Out Of
2id: 8c944ecb-6970-4541-8496-be554b8e2846
3status: test
4description: Detect successful authentications from countries you do not operate out of.
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
7author: MikeDuddington, '@dudders1'
8date: 2022-07-28
9tags:
10 - attack.initial-access
11 - attack.credential-access
12 - attack.t1078.004
13 - attack.t1110
14logsource:
15 product: azure
16 service: signinlogs
17detection:
18 selection:
19 Status: 'Success'
20 filter:
21 Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
22 condition: selection and not filter
23falsepositives:
24 - If this was approved by System Administrator.
25level: medium
References
Related rules
- Failed Authentications From Countries You Do Not Operate Out Of
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met