Recent DiscussionsMost RecentNewest TopicsMost LikesSolutionsTagged:TagRe: How to make Rule "Explicit MFA Deny" better?Thanks for the question. Are you looking to see if there was a successful MFA before this? If so, you can check for success and likely the IP would be a good place to start. This hunting query shows how to use an anti-join to exclude previous logons - https://github.com/Azure/Azure-Sentinel/blob/master/Hunting%20Queries/SigninLogs/new_locations_azuread_signin.yaml - it is based on location, but you can apply the same concept to IP. I would be careful about how far you look back. You may also want to compare AppDisplayName to make sure it is the same app and also look at MfaDetail to confirm the authmethod.Re: Trying to understand "Anomalous sign-in location by user account and authenticating application" mircasa - Thanks for the feedback. I am looking at the detection and we will likely have some updates in the next week available on the Azure Sentinel GitHub. The involved App should already be coming thru in the AppDisplayName, but agreed we should bring thru the Location information, the ResultType for the sign in (meaning success or fail error code), along with IPAddresses related to the UserPrincipalName that is making the Signin attempt. The goal of this detection is to indicate a UserPrincipalName for a given AppDisplayName is anomalous based on the location the IP is associated with, all relative to the last day, 7 days and 14 days. If an alert fires for this, then using the workbook that Ofer points out would be a next step to understand context for the user and Signins. We can also look at improving the description to help with this. I will post back once the new version is available.
Recent Blog ArticlesNewest TopicsMost LikesTagged:TagSolarWinds Post-Compromise Hunting with Azure Sentinel Microsoft recently blogged about the Recent Nation-State Cyber Attacks that has impacted high value targets both across the government and private sector. This attack is also known as Soloriga...Identifying Threat Hunting opportunities in your data Azure Sentinel allows for a very nice investigation experience when pivoting on interesting entities that are brought to you via Analytics and Hunting queries. Threat Hunters also review security bl...Microsoft Sentinel Blog - Table of Contents As Microsoft Sentinel Blogs grow in number, this Table of Contents will help you navigate the variety of topical areas. This includes articles on log management, da...Azure Sentinel: Performing Additional Security Monitoring of High-Value Accounts Most environments have high-value accounts and are often attacked. This post shows high-value account monitoring using Azure Sentinel.
MicrosoftMicrosoftMicrosoftMicrosoft
