User login from different countries within 3 hours (Uses Authentication Normalization)

Hunt Hypothesis

‘This query searches for successful user logins from different countries within 3 hours. To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAu

KQL Query

let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated > timeframe
| where EventType == 'Logon'
    and EventResult == 'Success'
| where isnotempty(SrcGeoCountry)
| summarize
    StartTime        = min(TimeGenerated)
    , EndTime        = max(TimeGenerated)
    , Vendors        = make_set(EventVendor, 128)
    , Products       = make_set(EventProduct, 128)
    , NumOfCountries = dcount(SrcGeoCountry)
    , Countries      = make_set(SrcGeoCountry, 128)
    by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries >= threshold
| where TargetUserType !in ("Application", "Service", "System", "Other", "Machine", "ServicePrincipal")
| extend
  Name = iif(
      TargetUsername contains "@"
          , tostring(split(TargetUsername, '@', 0)[0])
          , TargetUsername
      ),
  UPNSuffix = iif(
      TargetUsername contains "@"
      , tostring(split(TargetUsername, '@', 1)[0])
      , ""
  )

Analytic Rule Definition

id: 09ec8fa2-b25f-4696-bfae-05a7b85d7b9e
name: User login from different countries within 3 hours (Uses Authentication Normalization)
description: |
  'This query searches for successful user logins from different countries within 3 hours.
   To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
severity: High
requiredDataConnectors: []
queryFrequency: 3h
queryPeriod: 3h
triggerOperator: gt
triggerThreshold: 0
tactics:
  - InitialAccess 
relevantTechniques:
  - T1078
tags:
  - Id: 2954d424-f786-4677-9ffc-c24c44c6e7d5
    version: 1.0.0
  - Schema: ASIMAuthentication
    SchemaVersion: 0.1.0
query: |
  let timeframe = ago(3h);
  let threshold = 2;
  imAuthentication
  | where TimeGenerated > timeframe
  | where EventType == 'Logon'
      and EventResult == 'Success'
  | where isnotempty(SrcGeoCountry)
  | summarize
      StartTime        = min(TimeGenerated)
      , EndTime        = max(TimeGenerated)
      , Vendors        = make_set(EventVendor, 128)
      , Products       = make_set(EventProduct, 128)
      , NumOfCountries = dcount(SrcGeoCountry)
      , Countries      = make_set(SrcGeoCountry, 128)
      by TargetUserId, TargetUsername, TargetUserType
  | where NumOfCountries >= threshold
  | where TargetUserType !in ("Application", "Service", "System", "Other", "Machine", "ServicePrincipal")
  | extend
    Name = iif(
        TargetUsername contains "@"
            , tostring(split(TargetUsername, '@', 0)[0])
            , TargetUsername
        ),
    UPNSuffix = iif(
        TargetUsername contains "@"
        , tostring(split(TargetUsername, '@', 1)[0])
        , ""
    )
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: TargetUserName
      - identifier: Name
        columnName: Name
      - identifier: UPNSuffix
        columnName: UPNSuffix
version: 1.2.5
kind: Scheduled
metadata:
    source:
        kind: Community
    author:
        name: Ofer Shezaf
    support:
        tier: Community
    categories:
        domains: [ "Security - Network" ]

Required Data Sources

MITRE ATT&CK Context

• Tactic: InitialAccess
• Tactic: Defense Evasion
• Tactic: Persistence
• Tactic: Privilege Escalation
• Tactic: Initial Access
• Technique: T1078 — Valid Accounts

  Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to by

References

• Source Query