ID | Technique | Tactic |
---|---|---|
T1110 | Brute Force | Credential Access |
T1110.001 | Password Guessing | Credential Access |
T1110.003 | Password Spraying | Credential Access |
Detection: Azure AD Successful Authentication From Different Ips
Description
The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.
Search
1`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs
2| rename properties.* as *
3| bucket span=30m _time
4| stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user
5| `security_content_ctime(firstTime)`
6| `security_content_ctime(lastTime)`
7| where unique_ips > 1
8| `azure_ad_successful_authentication_from_different_ips_filter`
Data Source
Name | Platform | Sourcetype | Source |
---|---|---|---|
Azure Active Directory | Azure | 'azure:monitor:aad' |
'Azure AD' |
Macros Used
Name | Value |
---|---|
azure_monitor_aad | sourcetype=azure:monitor:aad |
azure_ad_successful_authentication_from_different_ips_filter | search * |
azure_ad_successful_authentication_from_different_ips_filter
is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
Setting | Value |
---|---|
Disabled | true |
Cron Schedule | 0 * * * * |
Earliest Time | -70m@m |
Latest Time | -10m@m |
Schedule Window | auto |
Creates Notable | Yes |
Rule Title | %name% |
Rule Description | %description% |
Notable Event Fields | user, dest |
Creates Risk Event | True |
Implementation
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
Known False Positives
A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
Associated Analytic Story
Risk Based Analytics (RBA)
Risk Message | Risk Score | Impact | Confidence |
---|---|---|---|
User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. | 56 | 70 | 80 |
References
Detection Testing
Test Type | Status | Dataset | Source | Sourcetype |
---|---|---|---|---|
Validation | ✅ Passing | N/A | N/A | N/A |
Unit | ✅ Passing | Dataset | Azure AD |
azure:monitor:aad |
Integration | ✅ Passing | Dataset | Azure AD |
azure:monitor:aad |
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 6