Try in Splunk Security Cloud


The following analytic identifies an Azure AD account with concurrent sessions coming from more than one unique Ip address within the span of 5 minutes. This behavior could represent a session hijacking attack whereby an adversary has extracted cookies from a victims browser and is using them from a different location to access corporate online resources. As users may behave differently across organizations, security teams should test and customize this detection to fit their environments.

  • Type: TTP
  • Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud

  • Last Updated: 2023-12-20
  • Author: Mauricio Velazco, Splunk
  • ID: a9126f73-9a9b-493d-96ec-0dd06695490d




ID Technique Tactic
T1185 Browser Session Hijacking Collection
Kill Chain Phase
  • Exploitation
  • DE.CM
  • CIS 10
 `azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=NonInteractiveUserSignInLogs 
| rename properties.* as * 
| bucket span=30m _time 
| stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user 
| where unique_ips  > 1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_ad_concurrent_sessions_from_different_ips_filter`


The SPL above uses the following Macros:

:information_source: azure_ad_concurrent_sessions_from_different_ips_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.

Required fields

List of fields required to use this analytic.

  • _time
  • properties.status.errorCode
  • category
  • properties.authenticationDetails
  • user
  • src_ip

How To Implement

You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase ( You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the SignInLogs log category.

Known False Positives

A user with concurrent sessions from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.

Associated Analytic Story


Risk Score Impact Confidence Message
42.0 70 60 User $user$ has concurrent sessions from more than one unique IP address in the span of 5 minutes.

:information_source: The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.


Test Dataset

Replay any dataset to Splunk Enterprise by using our tool or the UI. Alternatively you can replay a dataset into a Splunk Attack Range

source | version: 2