Failed Authentications From Countries You Do Not Operate Out Of
Detect failed authentications from countries you do not operate out of.
Sigma rule (View on GitHub)
1title: Failed Authentications From Countries You Do Not Operate Out Of
2id: 28870ae4-6a13-4616-bd1a-235a7fad7458
3status: test
4description: Detect failed authentications from countries you do not operate out of.
5references:
6 - https://learn.microsoft.com/en-gb/entra/architecture/security-operations-user-accounts
7author: MikeDuddington, '@dudders1'
8date: 2022-07-28
9tags:
10 - attack.privilege-escalation
11 - attack.persistence
12 - attack.defense-evasion
13 - attack.initial-access
14 - attack.credential-access
15 - attack.t1078.004
16 - attack.t1110
17logsource:
18 product: azure
19 service: signinlogs
20detection:
21 selection:
22 Status: 'Success'
23 selection1:
24 Location|contains: '<Countries you DO operate out of e,g GB, use OR for multiple>'
25 condition: not selection and not selection1
26falsepositives:
27 - If this was approved by System Administrator.
28level: low
References
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Multifactor Authentication Denied
- Multifactor Authentication Interrupted
- Potential MFA Bypass Using Legacy Client Authentication
- Sign-in Failure Due to Conditional Access Requirements Not Met
- Successful Authentications From Countries You Do Not Operate Out Of