heroui logo

Successful Authentications From Countries You Do Not Operate Out Of

Sigma Rules

View Source
Summary
This detection rule focuses on identifying successful authentication attempts that originate from countries where the organization does not typically conduct business activities. The primary goal of this rule is to flag potential unauthorized access, as successful authentications from unfamiliar geographical locations can indicate credential compromise or an insider threat. The rule operates by analyzing Azure Sign-in logs and looks for entries marked as 'Success' under the Authentication Status. It employs a filtering mechanism to exclude authenticated events from specific countries defined by the user, ensuring that only anomalous authentications are highlighted. This rule's detection logic combines a selection of successful authentication attempts with a negation filter to identify and alert on access attempts from unexpected locations, thereby enhancing security posture against initial access tactics employed by threat actors.
Categories
  • Cloud
  • Azure
  • Identity Management
Data Sources
  • Cloud Service
  • Application Log
Created: 2022-07-28