Forum Discussion
mircasa
May 04, 2020Copper Contributor
Trying to understand "Anomalous sign-in location by user account and authenticating application"
Im pretty new to Azure sentinel so it might be obvious. I got this incident in our Sentinel setup but i cant seem to understand what its acutally telling me. When i look up the events for the in...
Ofer_Shezaf
Microsoft
May 12, 2020
You can use the Query
SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName == "...."
| extend locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";")
summarize count() by locationString
- mircasaMay 14, 2020Copper Contributor
Thanks for the answer.
This gave a good view of the sign-ins.
But are these successfull sign-ins or does it also count the failed sign-ins?
- Ofer_ShezafMay 14, 2020
Microsoft
It is all sign ins because I kept to the data as analyzed by the rule itself. If you want to investigqate Signins with more flexiblity, you can use the Signins workbook which is very useful. You can learn more about this workbook (as well as the sign-in mapping workbook) in the "Day in a SOC analyst life" webinar (see module 12 of https://aka.ms/sentinelninjatraining)
- mircasaMay 14, 2020Copper Contributor
Okay, i will look into that.
Im just trying to understand why the incident is actually being created and what the response should be to it.Thanks for the help