Trying to understand "Anomalous sign-in location by user account and authenticating application"

%3CLINGO-SUB%20id%3D%22lingo-sub-1357327%22%20slang%3D%22en-US%22%3ETrying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20application%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357327%22%20slang%3D%22en-US%22%3E%3CP%3EIm%20pretty%20new%20to%20Azure%20sentinel%20so%20it%20might%20be%20obvious.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20got%20this%20incident%20in%20our%20Sentinel%20setup%20but%20i%20cant%20seem%20to%20understand%20what%20its%20acutally%20telling%20me.%3C%2FP%3E%3CP%3EWhen%20i%20look%20up%20the%20events%20for%20the%20incidents%2C%20i%20cant%20see%20the%20actually%20locations%2C%20but%20only%20the%20location%20count.%3C%2FP%3E%3CP%3ESo%26nbsp%3B%3C%2FP%3E%3CP%3Ehow%20can%20i%20see%20the%20location%20for%20the%20logins%20to%20determine%20whether%20or%20not%20its%20the%20actually%20user%20who%20just%20logged%20in%20from%20a%20new%20location%3F%3CBR%20%2F%3EIs%20it%20succesfull%20logins%20or%20just%20attempt%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20someone%20can%20clarify%20this%20for%20me.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1384439%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1384439%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F610756%22%20target%3D%22_blank%22%3E%40mircasa%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EYou%20can%20use%20the%20Query%3C%2FP%3E%0A%3CDIV%3E%0A%3CPRE%3ESigninLogs%3CBR%20%2F%3E%7C%20where%20TimeGenerated%20%26gt%3B%20ago(14d)%3CBR%20%2F%3E%7C%20where%20UserPrincipalName%20%3D%3D%20%22....%22%3CBR%20%2F%3E%7C%20extend%20locationString%20%3D%20strcat(tostring(LocationDetails%5B%22countryOrRegion%22%5D)%2C%20%22%2F%22%2C%20tostring(LocationDetails%5B%22state%22%5D)%2C%20%22%2F%22%2C%20tostring(LocationDetails%5B%22city%22%5D)%2C%20%22%3B%22)%3CBR%20%2F%3Esummarize%20count()%20by%20locationString%3C%2FPRE%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3C%2FDIV%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388583%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388583%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20answer.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20gave%20a%20good%20view%20of%20the%20sign-ins.%3C%2FP%3E%3CP%3EBut%20are%20these%20successfull%20sign-ins%20or%20does%20it%20also%20count%20the%20failed%20sign-ins%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388639%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388639%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F610756%22%20target%3D%22_blank%22%3E%40mircasa%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EIt%20is%20all%20sign%20ins%20because%20I%20kept%20to%20the%20data%20as%20analyzed%20by%20the%20rule%20itself.%20If%20you%20want%20to%20investigqate%20Signins%20with%20more%20flexiblity%2C%20you%20can%20use%20the%20Signins%20workbook%20which%20is%20very%20useful.%20You%20can%20learn%20more%20about%20this%20workbook%20(as%20well%20as%20the%20sign-in%20mapping%20workbook)%20in%20the%20%22Day%20in%20a%20SOC%20analyst%20life%22%20webinar%20(see%20module%2012%20of%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Faka.ms%2Fsentinelninjatraining%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Faka.ms%2Fsentinelninjatraining%3C%2FA%3E)%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1388645%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1388645%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EOkay%2C%20i%20will%20look%20into%20that.%3C%2FP%3E%3CP%3E%3CBR%20%2F%3EIm%20just%20trying%20to%20understand%20why%20the%20incident%20is%20actually%20being%20created%20and%20what%20the%20response%20should%20be%20to%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20help%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1389958%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1389958%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F610756%22%20target%3D%22_blank%22%3E%40mircasa%3C%2FA%3E%26nbsp%3B-%20Thanks%20for%20the%20feedback.%26nbsp%3B%20I%20am%20looking%20at%20the%20detection%20and%20we%20will%20likely%20have%20some%20updates%20in%20the%20next%20week%20available%20on%20the%20%3CA%20href%3D%22https%3A%2F%2Fgithub.com%2FAzure%2FAzure-Sentinel%22%20target%3D%22_self%22%20rel%3D%22noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%20noopener%20noreferrer%22%3EAzure%20Sentinel%20GitHub%3C%2FA%3E.%26nbsp%3B%20The%20involved%20App%20should%20already%20be%20coming%20thru%20in%20the%20AppDisplayName%2C%20but%20agreed%20we%20should%20bring%20thru%20the%20Location%20information%2C%20the%20ResultType%20for%20the%20sign%20in%20(meaning%20success%20or%20fail%20error%20code)%2C%20along%20with%20IPAddresses%20related%20to%20the%20UserPrincipalName%20that%20is%20making%20the%20Signin%20attempt.%26nbsp%3B%20The%20goal%20of%20this%20detection%20is%20to%20indicate%20a%20UserPrincipalName%20for%20a%20given%20AppDisplayName%20is%20anomalous%20based%20on%20the%20location%20the%20IP%20is%20associated%20with%2C%20all%20relative%20to%20the%20last%20day%2C%207%20days%20and%2014%20days.%26nbsp%3B%20If%20an%20alert%20fires%20for%20this%2C%20then%20using%20the%20workbook%20that%20Ofer%20points%20out%20would%20be%20a%20next%20step%20to%20understand%20context%20for%20the%20user%20and%20Signins.%26nbsp%3B%20We%20can%20also%20look%20at%20improving%20the%20description%20to%20help%20with%20this.%26nbsp%3B%20I%20will%20post%20back%20once%20the%20new%20version%20is%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1391988%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1391988%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252752%22%20target%3D%22_blank%22%3E%40shainw%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3Edefinitely%20think%20that%20location%20info%20and%20resultType%20would%20be%20a%20good%20addition.%3C%2FP%3E%3CP%3ELooking%20forward%20to%20the%20update.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20all%20the%20answers!%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1416795%22%20slang%3D%22en-US%22%3ERe%3A%20Trying%20to%20understand%20%22Anomalous%20sign-in%20location%20by%20user%20account%20and%20authenticating%20applica%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1416795%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F252752%22%20target%3D%22_blank%22%3E%40shainw%3C%2FA%3E%26nbsp%3B%20Also%20interested%20in%20this%20update%2C%20looking%20for%20Sentinel%20to%20flag%20us%20when%20a%20user%20sign's%20in%20to%20Office%20365%20from%20a%20country%20other%20then%20their%20own.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Highlighted
Occasional Contributor

Im pretty new to Azure sentinel so it might be obvious.

 

I got this incident in our Sentinel setup but i cant seem to understand what its acutally telling me.

When i look up the events for the incidents, i cant see the actually locations, but only the location count.

So 

how can i see the location for the logins to determine whether or not its the actually user who just logged in from a new location?
Is it succesfull logins or just attempt?

 

Hope someone can clarify this for me.

 

7 Replies
Highlighted

@mircasa 

 

You can use the Query

SigninLogs
| where TimeGenerated > ago(14d)
| where UserPrincipalName == "...."
| extend locationString = strcat(tostring(LocationDetails["countryOrRegion"]), "/", tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";")
summarize count() by locationString

 

Highlighted

@Ofer_Shezaf 

Thanks for the answer.

 

This gave a good view of the sign-ins.

But are these successfull sign-ins or does it also count the failed sign-ins?

Highlighted

@mircasa 

 

It is all sign ins because I kept to the data as analyzed by the rule itself. If you want to investigqate Signins with more flexiblity, you can use the Signins workbook which is very useful. You can learn more about this workbook (as well as the sign-in mapping workbook) in the "Day in a SOC analyst life" webinar (see module 12 of https://aka.ms/sentinelninjatraining)

Highlighted

@Ofer_Shezaf 

 

Okay, i will look into that.


Im just trying to understand why the incident is actually being created and what the response should be to it.

 

Thanks for the help

Highlighted

@mircasa - Thanks for the feedback.  I am looking at the detection and we will likely have some updates in the next week available on the Azure Sentinel GitHub.  The involved App should already be coming thru in the AppDisplayName, but agreed we should bring thru the Location information, the ResultType for the sign in (meaning success or fail error code), along with IPAddresses related to the UserPrincipalName that is making the Signin attempt.  The goal of this detection is to indicate a UserPrincipalName for a given AppDisplayName is anomalous based on the location the IP is associated with, all relative to the last day, 7 days and 14 days.  If an alert fires for this, then using the workbook that Ofer points out would be a next step to understand context for the user and Signins.  We can also look at improving the description to help with this.  I will post back once the new version is available.

Highlighted

@shainw 

 

definitely think that location info and resultType would be a good addition.

Looking forward to the update.

 

Thanks for all the answers! 

Highlighted

@shainw  Also interested in this update, looking for Sentinel to flag us when a user sign's in to Office 365 from a country other then their own.