Scenario: identify user accounts authenticating from an unexpectedly large number of locations. The intuition is that these accounts may be of security interest, and potentially compromised.
This Kusto tutorial discusses using time series analysis to investigate change patterns in data using the make-seriesoperator and series_fit_linefunction from the Kusto language used in Azure Log Analytics. This post describes a possible application of such techniques in a security context.
For the purposes of this example we restrict ourselves to the count of distinct locations and to hunting for ‘the most unusual’ sign-in activity – even if that is below the threshold that would result in an alert.
A typical organization may have many users and many applications using Azure Active Directory for authentication. Some applications (for example Office365 Exchange Online) may have many more authentications than others (say Visual Studio) and thus dominate the data. Also users may have a different location profile depending on the application – high location variability for email access may be expected, but less so for development activity associated with Visual Studio authentications for example. For both these reasons it may be desirable to track location variability for every user/application combination and then investigate just some of the most unusual cases.
The time series analysis make-series and series_fit_line operators allow just that. Our starting point is the Azure Active Directory sign-in logs – stored in the SigninLogs table in Azure Log Analytics:
// 0 slope corresponds to completely stable over time
| top3by Slope desc
A completely stable profile over time – constant number of locations – will lead to a horizontal line – i.e. a slope of zero.
A spike in number of sign-in locations translates to a positive slope value, so of all the best-fit lines – each line corresponding to a particular user/application combination - we can pick those with the largest slope values.
The top slope values across all the best fit lines in a sample test set were around 0.2 – 0.3:
The graph below shows the location count for these users over time – the typical pattern of 0 or 1 sign-in locations daily for these user accounts increased to 6-8 sign-in locations daily. Are these locations legitimate – that’s the starting point for investigation…
Tim Burrell, Microsoft Threat Intelligence Center
Final consolidated query described in the main text