SOLVED

Which user accounts are involved in "Sign-ins from IPs that attempt sign-ins to disabled accounts"

%3CLINGO-SUB%20id%3D%22lingo-sub-2334670%22%20slang%3D%22en-US%22%3EWhich%20user%20accounts%20are%20involved%20in%20%22Sign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20accounts%22%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2334670%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3EMy%20recently%20deployed%20Sentinel%20instance%20for%20a%20small%20school%20(approx%20120%20users)%20keeps%20giving%20me%20this%20incident%2C%20based%20on%20the%20rule%20%22Sign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20accounts%22.%20However%2C%20it%20shows%20the%20IP%20addresses%20where%20the%20logins%20are%20coming%20from%20but%20NOT%20the%20user%20accounts%20that%20were%20attempted%20to%20be%20logged%20into%2C%20nor%20the%20account%20that%20was%20successful.%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20confused%20-%20wouldn't%20Sentinel%20know%20which%20user%20accounts%20are%20involved%20(to%20be%20able%20to%20raise%20the%20alert)%20and%20just%20include%20that%20information%20in%20the%20Incident%3F%20And%20if%20it%20doesn't%20-%20how%20do%20I%20find%20out%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGrateful%20for%20any%20hints%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPaul%20Schnackenburg%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2335040%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20user%20accounts%20are%20involved%20in%20%22Sign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20ac%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2335040%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F10453%22%20target%3D%22_blank%22%3E%40Paul%20Schnackenburg%3C%2FA%3E%26nbsp%3BIt%20looks%20the%20information%20is%20in%20the%20query%20although%20I%20am%20not%20sure%20why%20it%20isn't%20exposed.%26nbsp%3B%20There%20is%20a%20column%20being%20returned%20called%20%22disabledAccountSet%22%20that%20will%20list%20all%20the%20accounts%20being%20accessed.%3C%2FP%3E%3CP%3ESince%20this%20is%20stored%20as%20a%20dynamic%20array%2C%20I%20used%20the%20mv-expand%20command%20to%20get%201%20row%20per%20account%20so%20it%20can%20be%20assigned%20to%20an%20Entity.%3C%2FP%3E%3CP%3E%3CSTRONG%3ENOTE%3A%20I%20do%20not%20actually%20have%20this%20query%20returning%20any%20results%20in%20my%20environment%20but%20this%20should%20work.%3C%2FSTRONG%3E%3C%2FP%3E%3CP%3E1)%20Add%20the%20following%20code%26nbsp%3Bto%20the%20end%20of%20the%20query%20in%20the%20Analytic%20rule%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%7C%20mv-expand%20disabledAccountSet%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E2)%20Setup%20an%20entity%20to%20use%20that%20column%20so%20that%20the%20results%20are%20mapped%20to%20an%20entity%20so%20you%20can%20see%20it.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThat%20should%20do%20it!%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2337427%22%20slang%3D%22en-US%22%3ERe%3A%20Which%20user%20accounts%20are%20involved%20in%20%22Sign-ins%20from%20IPs%20that%20attempt%20sign-ins%20to%20disabled%20ac%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2337427%22%20slang%3D%22en-US%22%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F46875%22%20target%3D%22_blank%22%3E%40Gary%20Bushey%3C%2FA%3E.%20Thanks%2C%20that%20did%20the%20trick%2C%20much%20appreciated.%3C%2FLINGO-BODY%3E
New Contributor

Hi,

My recently deployed Sentinel instance for a small school (approx 120 users) keeps giving me this incident, based on the rule "Sign-ins from IPs that attempt sign-ins to disabled accounts". However, it shows the IP addresses where the logins are coming from but NOT the user accounts that were attempted to be logged into, nor the account that was successful. 

I'm confused - wouldn't Sentinel know which user accounts are involved (to be able to raise the alert) and just include that information in the Incident? And if it doesn't - how do I find out?

 

Grateful for any hints,

 

Paul Schnackenburg

2 Replies

@Paul Schnackenburg It looks the information is in the query although I am not sure why it isn't exposed.  There is a column being returned called "disabledAccountSet" that will list all the accounts being accessed.

Since this is stored as a dynamic array, I used the mv-expand command to get 1 row per account so it can be assigned to an Entity.

NOTE: I do not actually have this query returning any results in my environment but this should work.

1) Add the following code to the end of the query in the Analytic rule

| mv-expand disabledAccountSet

2) Setup an entity to use that column so that the results are mapped to an entity so you can see it.

 

That should do it!

best response confirmed by Paul Schnackenburg (New Contributor)
Solution
@Gary Bushey. Thanks, that did the trick, much appreciated.