← Library
kqlMITfrom Azure/Azure-Sentinel

Privileged User Logon from new ASN

'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days. Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'

Quality
98
FP risk
Forks
0
Views
0
ATT&CK techniques
T1078.004
Rule sourceDetections/SigninLogs/PrivilegedUserLogonfromnewASN.yaml
let admins=(IdentityInfo
  | where AssignedRoles contains "admin" or GroupMembership has "Admin"
  | summarize by tolower(AccountUPN));
  let known_asns = (
  SigninLogs
  | where TimeGenerated between(ago(14d)..ago(1d))
  | where ResultType == 0
  | summarize by AutonomousSystemNumber);
  SigninLogs
  | where TimeGenerated > ago(1d)
  | where ResultType == 0
  | where tolower(UserPrincipalName) in (admins)
  | where AutonomousSystemNumber !in (known_asns)
  | project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
  | extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])