Detectionhightest

Unfamiliar Sign-In Properties

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Sun Sep 03128faeef-79dd-44ca-b43c-a9e236a60f49cloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'unfamiliarFeatures'
    condition: selection

False Positives

User changing to a new device, location, browser, etc.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

128faeef-79dd-44ca-b43c-a9e236a60f49

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_unfamilar_sign_in.yml

Raw Tags

attack.t1078attack.persistenceattack.defense-evasionattack.privilege-escalationattack.initial-access