Forum Discussion

Copper Contributor

May 04, 2020

Trying to understand "Anomalous sign-in location by user account and authenticating application"

Im pretty new to Azure sentinel so it might be obvious. I got this incident in our Sentinel setup but i cant seem to understand what its acutally telling me. When i look up the events for the in...

Ofer_Shezaf

Microsoft

May 12, 2020

mircasa

You can use the Query

SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName == "...."
| extend locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";")
summarize count() by locationString

mircasa
Copper Contributor
May 14, 2020
Ofer_Shezaf
Thanks for the answer.

This gave a good view of the sign-ins.
But are these successfull sign-ins or does it also count the failed sign-ins?
- Ofer_Shezaf
  Microsoft
  May 14, 2020
  mircasa
  
  It is all sign ins because I kept to the data as analyzed by the rule itself. If you want to investigqate Signins with more flexiblity, you can use the Signins workbook which is very useful. You can learn more about this workbook (as well as the sign-in mapping workbook) in the "Day in a SOC analyst life" webinar (see module 12 of https://aka.ms/sentinelninjatraining)
  - mircasa
    Copper Contributor
    May 14, 2020
    Ofer_Shezaf
    
    Okay, i will look into that.
    
    Im just trying to understand why the incident is actually being created and what the response should be to it.
    
    Thanks for the help