Azure AD Successful Authentication From Different Ips
Description
The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.
- Type: TTP
-
Product: Splunk Enterprise, Splunk Enterprise Security, Splunk Cloud
- Last Updated: 2024-05-26
- Author: Mauricio Velazco, Splunk
- ID: be6d868d-33b6-4aaa-912e-724fb555b11a
Annotations
ATT&CK
Kill Chain Phase
- Exploitation
NIST
- DE.CM
CIS20
- CIS 10
CVE
Search
1
2
3
4
5
6
7
8
`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs
| rename properties.* as *
| bucket span=30m _time
| stats count min(_time) as firstTime max(_time) as lastTime dc(src_ip) AS unique_ips values(src_ip) as src_ip values(appDisplayName) as appDisplayName by user
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| where unique_ips > 1
| `azure_ad_successful_authentication_from_different_ips_filter`
Macros
The SPL above uses the following Macros:
azure_ad_successful_authentication_from_different_ips_filter is a empty macro by default. It allows the user to filter out any results (false positives) without editing the SPL.
Required fields
List of fields required to use this analytic.
- _time
- properties.status.errorCode
- category
- properties.authenticationDetails
- user
- src_ip
- properties.appDisplayName
How To Implement
You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. This analytic was written to be used with the azure:monitor:aad sourcetype leveraging the Signin log category.
Known False Positives
A user with successful authentication events from different Ips may also represent the legitimate use of more than one device. Filter as needed and/or customize the threshold to fit your environment.
Associated Analytic Story
RBA
Risk Score | Impact | Confidence | Message |
---|---|---|---|
56.0 | 70 | 80 | User $user$ has had successful authentication events from more than one unique IP address in the span of 30 minutes. |
The Risk Score is calculated by the following formula: Risk Score = (Impact * Confidence/100). Initial Confidence and Impact is set by the analytic author.
Reference
- https://attack.mitre.org/techniques/T1110
- https://attack.mitre.org/techniques/T1110.001
- https://attack.mitre.org/techniques/T1110.003
Test Dataset
Replay any dataset to Splunk Enterprise by using our replay.py
tool or the UI.
Alternatively you can replay a dataset into a Splunk Attack Range
source | version: 4