Home
%3CLINGO-SUB%20id%3D%22lingo-sub-472433%22%20slang%3D%22en-US%22%3ETime%20series%20analysis%20applied%20in%20a%20security%20hunting%20context%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-472433%22%20slang%3D%22en-US%22%3E%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3EThis%20article%20expands%20on%20the%20time%20series%20analysis%20example%20given%20in%20the%20%22%3C%2FSPAN%3E%3CA%20style%3D%22background-color%3A%20transparent%3B%20box-sizing%3A%20border-box%3B%20color%3A%20%23146cac%3B%20font-family%3A%20%26amp%3Bquot%3B%20segoeui%26amp%3Bquot%3B%2C%26amp%3Bquot%3Blato%26amp%3Bquot%3B%2C%26amp%3Bquot%3Bhelvetica%20neue%26amp%3Bquot%3B%2Chelvetica%2Carial%2Csans-serif%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20underline%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fblog%2Fml-powered-detections-with-kusto-query-language-in-azure-sentinel%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EMachine%20learning%20powered%20detections%20with%20Kusto%20query%20language%20in%20Azure%20Sentinel%3C%2FA%3E%3CSPAN%20style%3D%22display%3A%20inline%20!important%3B%20float%3A%20none%3B%20background-color%3A%20%23ffffff%3B%20color%3A%20%23333333%3B%20cursor%3A%20text%3B%20font-family%3A%20inherit%3B%20font-size%3A%2016px%3B%20font-style%3A%20normal%3B%20font-variant%3A%20normal%3B%20font-weight%3A%20300%3B%20letter-spacing%3A%20normal%3B%20line-height%3A%201.7142%3B%20orphans%3A%202%3B%20text-align%3A%20left%3B%20text-decoration%3A%20none%3B%20text-indent%3A%200px%3B%20text-transform%3A%20none%3B%20-webkit-text-stroke-width%3A%200px%3B%20white-space%3A%20normal%3B%20word-spacing%3A%200px%3B%22%3E%22%20Azure%20blog%20post.%26nbsp%3B%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EScenario%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%3A%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20identify%20user%20accounts%20authenticating%20from%20an%20unexpectedly%20large%20number%20of%20locations.%20The%20intuition%20is%20that%20these%20accounts%20may%20be%20of%20security%20interest%2C%20and%20potentially%20compromised.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fdocs-analytics-eus.azurewebsites.net%2Flearn%2Ftutorial_time_series_analysis.html%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%3EThis%20Kusto%20tutorial%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20discusses%20using%20time%20series%20analysis%20to%20investigate%20change%20patterns%20in%20data%20using%20the%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emake-series%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22auto%22%3Eoperator%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eand%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eseries_fit_line%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22auto%22%3Efunction%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efrom%20the%20Kusto%20language%20used%20in%20Azure%20Log%20Analytics.%20This%20post%20describes%20a%20possible%20application%20of%20such%20techniques%20in%20a%20security%20context.%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3ENote%20that%20for%20simplicity%20we%20are%20not%20evaluating%20the%20reachability%20of%20one%20sign-in%20location%20from%20another%20%E2%80%93%20clearly%20that%20is%20an%20important%20consideration%20and%20indeed%20Azure%20Active%20Directory%20runs%20sophisticated%20analysis%20%3C%2FSPAN%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory%2Freports-monitoring%2Fconcept-risk-events%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eto%20provide%20eventing%20and%20alerts%20for%20such%20impossible%20travel%20scenarios%3C%2FSPAN%3E%3C%2FA%3E%3CSPAN%20data-contrast%3D%22auto%22%3E.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFor%20the%20purposes%20of%20this%20example%20we%20restrict%20ourselves%20to%20the%20count%20of%20distinct%20locations%20and%20to%20hunting%20for%20%E2%80%98the%20most%20unusual%E2%80%99%20sign-in%20activity%20%E2%80%93%20even%20if%20that%20is%20below%20the%20threshold%20that%20would%20result%20in%20an%20alert.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EA%20typical%20organization%20may%20have%20many%20users%20and%20many%20applications%20using%20Azure%20Active%20Directory%20for%20authentication.%20Some%20applications%20(for%20example%20Office365%20Exchange%20Online)%20may%20have%20many%20more%20authentications%20than%20others%20(say%20Visual%20Studio)%20and%20thus%20dominate%20the%20data.%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAlso%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20users%20may%20have%20a%20different%20location%20profile%20depending%20on%20the%20application%20%E2%80%93%20high%20location%20variability%20for%20email%20access%20may%20be%20expected%2C%20but%20less%20so%20for%20development%20activity%20associated%20with%20Visual%20Studio%20authentications%20for%20example.%20For%20both%20these%20reasons%20it%20may%20be%20desirable%20to%20track%20location%20variability%20for%20every%20user%2Fapplication%20combination%20and%20then%20investigate%20just%20some%20of%20the%20most%20unusual%20cases.%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3E%3CSPAN%20data-contrast%3D%22auto%22%3EAnalysis%3C%2FSPAN%3E%3C%2FSTRONG%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20time%20series%20analysis%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Emake-series%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20and%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eseries_fit_line%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20operators%20allow%20just%20that.%20Our%20starting%20point%20is%20the%20Azure%20Active%20Directory%20sign-in%20logs%20%E2%80%93%20stored%20in%20the%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ESigninLogs%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20table%20in%20Azure%20Log%20Analytics%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%20style%3D%22text-align%3A%20left%3B%22%3E%3CSPAN%20data-contrast%3D%22none%22%3ESigninLogs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eextend%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ElocationString%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3D%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Estrcat%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Etostring%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELocationDetails%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EcountryOrRegion%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5D)%2C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%2F%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Etostring%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELocationDetails%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22state%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5D)%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%2F%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Etostring%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELocationDetails%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22city%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5D)%2C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%3B%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eproject%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAppDisplayName%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EUserPrincipalName%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ElocationString%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20next%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Esteps%20are%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20aria-setsize%3D%22-1%22%20data-leveltext%3D%22%251.%22%20data-font%3D%22%22%20data-listid%3D%221%22%20data-aria-posinset%3D%221%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECreate%20the%20series%20of%20events%20of%20interest%20%E2%80%93%20in%20this%20instance%20distinct%20location%20count%20for%20every%20combination%20of%20user%20and%20application%20in%20the%20data%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CPREVIOUS%20query%3D%22%22%20text%3D%22%22%3E%3C%2FPREVIOUS%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Emake-series%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3EdLocationCount%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20%3D%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edcount%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ElocationString%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eon%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3ETimeGenerated%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22none%22%3Efrom%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Edatetime%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E01%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E01%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E2019%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20to%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Edatetime%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E01%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E31%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E2019%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20step%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E1%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ed%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eby%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3EUserPrincipalName%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAppDisplayName%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EEach%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Eseries%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Evector%20in%20the%20result%20set%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20represents%20the%20number%20of%20locations%20for%20a%20given%20account%2Fapplication%20pair%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20375px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111178iC0D4C314A093210F%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Series.png%22%20title%3D%22Series.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3COL%3E%0A%3CLI%20aria-setsize%3D%22-1%22%20data-leveltext%3D%22%251.%22%20data-font%3D%22%22%20data-listid%3D%221%22%20data-aria-posinset%3D%222%22%20data-aria-level%3D%221%22%3E%3CSPAN%20data-contrast%3D%22auto%22%3ECompute%20the%20best%20fit%20line%20for%20each%20series%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FLI%3E%0A%3C%2FOL%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3CPREVIOUS%20query%3D%22%22%20text%3D%22%22%3E%3C%2FPREVIOUS%3E%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eextend%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ERSquare%2CSlope%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2CVariance%2CRVariance%2CInterception%2CLineFit)%3Dseries_fit_line(dLocationCount)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%20Chart%20the%203%20most%20interesting%20lines%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%200%20slope%20corresponds%20to%20completely%20stable%20over%20time%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Etop%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E3%3C%2FSPAN%3E%20%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eby%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20Slope%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edesc%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Erender%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3Etimechart%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A360%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EA%20completely%20stable%20profile%20over%20time%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20%E2%80%93%20constant%20number%20of%20locations%20%E2%80%93%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ewill%20lead%20to%20a%20horizontal%20line%20%E2%80%93%20i.e.%20a%20slope%20of%20zero.%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EA%20spike%20in%20number%20of%20sign-in%20locations%20translate%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Es%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20to%20a%20positive%20slope%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20value%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%2C%20so%20of%20all%20the%20best-fit%20lines%20%E2%80%93%20each%20line%20corresponding%20to%20a%20particular%20user%2Fapplication%20combination%20-%20we%20can%20pick%20those%20with%20the%20largest%20slope%20values.%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20top%20slope%20values%20across%20all%20the%20best%20fit%20lines%20in%20a%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20sample%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Etest%20set%20were%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Earound%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E0.2%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3E%20%E2%80%93%200.3%3A%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111177iFF6A3950F33C15B0%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22Slopes.png%22%20title%3D%22Slopes.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EThe%20graph%20below%20shows%20the%20location%20count%20for%20these%20users%20over%20time%20%E2%80%93%20the%20typical%20pattern%20of%200%20or%201%20sign-in%20locations%20daily%20for%20these%20user%20accounts%20increased%20to%206-8%20sign-in%20locations%20daily.%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22auto%22%3EAre%20these%20locations%20legitimate%20%E2%80%93%20that%E2%80%99s%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Ethe%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Estarting%20point%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22auto%22%3Efor%20investigation%E2%80%A6%3C%2FSPAN%3E%26nbsp%3B%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20style%3D%22width%3A%20400px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F111176i2FB097F4193BBBC8%2Fimage-size%2Fmedium%3Fv%3D1.0%26amp%3Bpx%3D400%22%20alt%3D%22TimeSeriesGraph.png%22%20title%3D%22TimeSeriesGraph.png%22%20%2F%3E%3C%2FSPAN%3E%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3E%26nbsp%3BTim%20Burrell%2C%20Microsoft%20Threat%20Intelligence%20Center%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%3CEM%3EApril%202019%26nbsp%3B%3C%2FEM%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSTRONG%3EAppendix%26nbsp%3B%3C%2FSTRONG%3E%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22auto%22%3EFinal%20consolidated%20query%20described%20in%20the%20main%20text%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3ESigninLogs%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eextend%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%20%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3ElocationString%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%3D%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Estrcat%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Etostring%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELocationDetails%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EcountryOrRegion%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5D)%2C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%2F%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Etostring%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELocationDetails%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22state%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5D)%2C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%2F%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Etostring%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ELocationDetails%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5B%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22city%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%5D)%2C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%23993300%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%22%3B%22%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eproject%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3ETimeGenerated%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAppDisplayName%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20%2C%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22none%22%3EUserPrincipalName%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ElocationString%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%20create%20time%20series%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Emake-series%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3EdLocationCount%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20%3D%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edcount%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ElocationString%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eon%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3ETimeGenerated%3C%2FSPAN%3E%20%3CSPAN%20data-contrast%3D%22none%22%3Efrom%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edatetime%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E01%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E01%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E2019%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20to%20%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3Edatetime%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E01%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E31%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E-%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E2019%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E)%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20step%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E1%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Ed%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eby%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3EUserPrincipalName%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2C%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3EAppDisplayName%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%20Compute%20best%20fit%20line%20for%20each%20entry%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eextend%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20(%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3ERSquare%2CSlope%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2CVariance%2CRVariance%2CInterception%2CLineFit)%3Dseries_fit_line(dLocationCount)%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%20Chart%20the%203%20most%20interesting%20lines%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CFONT%20color%3D%22%23008000%22%3E%3CSPAN%20data-contrast%3D%22none%22%3E%2F%2F%200%20slope%20corresponds%20to%20completely%20stable%20over%20time%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FFONT%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Etop%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E3%3C%2FSPAN%3E%20%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Eby%3C%2FSPAN%3E%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3E%20Slope%20%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3Edesc%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-contrast%3D%22none%22%3E%7C%20%3C%2FSPAN%3E%3CFONT%20color%3D%22%230000ff%22%3E%3CSPAN%20data-contrast%3D%22none%22%3Erender%3C%2FSPAN%3E%20%3C%2FFONT%3E%3CSPAN%20data-contrast%3D%22none%22%3Etimechart%3C%2FSPAN%3E%3CSPAN%20data-contrast%3D%22none%22%3E%26nbsp%3B%3C%2FSPAN%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B134233279%26quot%3B%3Atrue%2C%26quot%3B201341983%26quot%3B%3A2%2C%26quot%3B335559685%26quot%3B%3A720%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A240%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%0A%3CP%3E%3CSPAN%20data-ccp-props%3D%22%7B%26quot%3B201341983%26quot%3B%3A0%2C%26quot%3B335559739%26quot%3B%3A160%2C%26quot%3B335559740%26quot%3B%3A259%7D%22%3E%26nbsp%3B%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-TEASER%20id%3D%22lingo-teaser-472433%22%20slang%3D%22en-US%22%3E%3CP%3EThis%20article%20expands%20on%20the%20time%20series%20analysis%20example%20given%20in%20the%20%22%3CA%20href%3D%22https%3A%2F%2Fazure.microsoft.com%2Fen-gb%2Fblog%2Fml-powered-detections-with-kusto-query-language-in-azure-sentinel%2F%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%22%3EMachine%20learning%20powered%20detections%20with%20Kusto%20query%20language%20in%20Azure%20Sentinel%3C%2FA%3E%22%20Azure%20blog%20post.%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-TEASER%3E%3CLINGO-LABS%20id%3D%22lingo-labs-472433%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EAzure%20Sentinel%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EDetection%3C%2FLINGO-LABEL%3E%3CLINGO-LABEL%3EMachine%20Learning%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E

This article expands on the time series analysis example given in the "Machine learning powered detections with Kusto query language in Azure Sentinel" Azure blog post. 

Scenario: identify user accounts authenticating from an unexpectedly large number of locations. The intuition is that these accounts may be of security interest, and potentially compromised.

 

This Kusto tutorial discusses using time series analysis to investigate change patterns in data using the make-series operator and series_fit_line function from the Kusto language used in Azure Log Analytics. This post describes a possible application of such techniques in a security context.

 

Note that for simplicity we are not evaluating the reachability of one sign-in location from another – clearly that is an important consideration and indeed Azure Active Directory runs sophisticated analysis to provide eventing and alerts for such impossible travel scenarios 

 

For the purposes of this example we restrict ourselves to the count of distinct locations and to hunting for ‘the most unusual’ sign-in activity – even if that is below the threshold that would result in an alert. 

A typical organization may have many users and many applications using Azure Active Directory for authentication. Some applications (for example Office365 Exchange Online) may have many more authentications than others (say Visual Studio) and thus dominate the data. Also users may have a different location profile depending on the application – high location variability for email access may be expected, but less so for development activity associated with Visual Studio authentications for example. For both these reasons it may be desirable to track location variability for every user/application combination and then investigate just some of the most unusual cases. 

 

Analysis 

The time series analysis make-series and series_fit_line operators allow just that. Our starting point is the Azure Active Directory sign-in logs – stored in the SigninLogs table in Azure Log Analytics: 

SigninLogs 

| extend  locationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";") 

| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString 

 

The next steps are: 

  1. Create the series of events of interest – in this instance distinct location count for every combination of user and application in the data: 

<previous query text> 

| make-series dLocationCount = dcount(locationString)

on TimeGenerated from datetime(01-01-2019) to datetime(01-31-2019) step 1d 

by UserPrincipalName, AppDisplayName 

 

Each series vector in the result set represents the number of locations for a given account/application pair: 

 Series.png

  1. Compute the best fit line for each series: 

<previous query text> 

| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) 

// Chart the 3 most interesting lines  

// 0 slope corresponds to completely stable over time 

| top 3 by Slope desc  

| render timechart  

 

A completely stable profile over time – constant number of locations – will lead to a horizontal line – i.e. a slope of zero.  

 

A spike in number of sign-in locations translates to a positive slope value, so of all the best-fit lines – each line corresponding to a particular user/application combination - we can pick those with the largest slope values.  

 

The top slope values across all the best fit lines in a sample test set were around 0.2 – 0.3: 

 Slopes.png

The graph below shows the location count for these users over time – the typical pattern of 0 or 1 sign-in locations daily for these user accounts increased to 6-8 sign-in locations daily. Are these locations legitimate – that’s the starting point for investigation…  

 TimeSeriesGraph.png

 

 Tim Burrell, Microsoft Threat Intelligence Center 

April 2019 

 

Appendix 

 

Final consolidated query described in the main text 

SigninLogs 

| extend  locationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";") 

| project TimeGenerated, AppDisplayName , UserPrincipalName, locationString 

// create time series 

| make-series dLocationCount = dcount(locationString) on TimeGenerated from datetime(01-01-2019) to datetime(01-31-2019) step 1d 

by UserPrincipalName, AppDisplayName 

// Compute best fit line for each entry 

| extend (RSquare,Slope,Variance,RVariance,Interception,LineFit)=series_fit_line(dLocationCount) 

// Chart the 3 most interesting lines  

// 0 slope corresponds to completely stable over time 

| top 3 by Slope desc  

| render timechart