| ID | Technique | Tactic |
|---|---|---|
| T1110.001 | Password Guessing | Credential Access |
| T1110.003 | Password Spraying | Credential Access |
Detection: Azure AD Successful Authentication From Different Ips
Description
The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.
Search
1`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs
2
3| rename properties.* as *
4
5| bucket span=30m _time
6
7| fillnull
8
9| stats count min(_time) as firstTime max(_time) as lastTime dc(src) AS unique_ips values(dest) as dest values(src) as src
10 BY user vendor_account vendor_product
11 signature
12
13| `security_content_ctime(firstTime)`
14
15| `security_content_ctime(lastTime)`
16
17| where unique_ips > 1
18
19| `azure_ad_successful_authentication_from_different_ips_filter`
Data Source
| Name | Platform | Sourcetype | Source |
|---|---|---|---|
| Azure Active Directory |  Azure |
'azure:monitor:aad' |
'Azure AD' |
Macros Used
| Name | Value |
|---|---|
| azure_monitor_aad | sourcetype=azure:monitor:aad |
| azure_ad_successful_authentication_from_different_ips_filter | search * |
azure_ad_successful_authentication_from_different_ips_filter is an empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Annotations
MITRE ATT&CK
Kill Chain Phases
NIST
CIS
Threat Actors
Exploitation
DE.CM
CIS 10
Default Configuration
This detection is configured by default in Splunk Enterprise Security to run with the following settings:
| Setting | Value |
|---|---|
| Disabled | true |
| Cron Schedule | 0 * * * * |
| Earliest Time | -70m@m |
| Latest Time | -10m@m |
| Schedule Window | auto |
| Creates Finding (Notable) | Yes |
| Rule Title | %name% |
| Rule Description | %description% |
| Notable Event Fields | user, dest |
| Creates Intermediate Finding (Risk Event) | No |
TTP detections generate a Finding (Notable) and may generate Intermediate Findings (Risk Events) for associated entities.
Implementation
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
Known False Positives
A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
Associated Analytic Story
Finding
| Title | Entity Field | Entity Type | Risk Score |
|---|---|---|---|
| User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. | user | user | 50 |
Threat Objects
| Field | Type |
|---|---|
| src | ip_address |
References
Detection Testing
| Test Type | Status | Dataset | Source | Sourcetype |
|---|---|---|---|---|
| Validation | ✅ Passing | N/A | N/A | N/A |
| Unit | ✅ Passing | Dataset | Azure AD |
azure:monitor:aad |
| Integration | ✅ Passing | Dataset | Azure AD |
azure:monitor:aad |
Replay any dataset to Splunk Enterprise by using our replay.py tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
Source: GitHub | Version: 14