‘Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the [ASIM normalizat
imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
, disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
, applicationsTargeted = dcount(TargetAppName)
, applicationSet = make_set(TargetAppName)
by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter
(
// Consider these IPs suspicious - and alert any related successful sign-ins
imAuthentication
| where EventResult=='Success'
| summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
// Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
| where successfulAccountSigninCount < 100
)
on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet,
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts
id: 95002681-4ecb-4da3-9ece-26d7e5feaa33
name: Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
description: |
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
- Persistence
relevantTechniques:
- T1078
- T1098
tags:
- Id: 500c103a-0319-4d56-8e99-3cec8d860757
version: 1.0.0
query: |
imAuthentication
| where EventResult =='Failure'
| where EventResultDetails == 'User disabled'
| summarize StartTime=min(EventStartTime), EndTime=max(EventEndTime), disabledAccountLoginAttempts = count()
, disabledAccountsTargeted = dcount(TargetUsername), disabledAccountSet = make_set(TargetUsername)
, applicationsTargeted = dcount(TargetAppName)
, applicationSet = make_set(TargetAppName)
by SrcDvcIpAddr, Type
| order by disabledAccountLoginAttempts desc
| join kind=leftouter
(
// Consider these IPs suspicious - and alert any related successful sign-ins
imAuthentication
| where EventResult=='Success'
| summarize successfulAccountSigninCount = dcount(TargetUsername), successfulAccountSigninSet = makeset(TargetUsername, 15) by SrcDvcIpAddr, Type
// Assume IPs associated with sign-ins from 100+ distinct user accounts are safe
| where successfulAccountSigninCount < 100
)
on SrcDvcIpAddr
| where isnotempty(successfulAccountSigninCount)
| project StartTime, EndTime, SrcDvcIpAddr, disabledAccountLoginAttempts, disabledAccountsTargeted, disabledAccountSet, applicationSet,
successfulAccountSigninCount, successfulAccountSigninSet, Type
| order by disabledAccountLoginAttempts
entityMappings:
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SrcDvcIpAddr
version: 1.0.3
kind: Scheduled
metadata:
source:
kind: Community| Sentinel Table | Notes |
|---|---|
imAuthentication | Ensure this data connector is enabled |
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to by
Adversaries may manipulate accounts to maintain and/or elevate access to victim systems. Account manipulation may consist of any action that preserves or modifies adversary access to a compromised acc