Detectionhightest

Anomalous Token

Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Mark MorowczynskiCreated Mon Aug 076555754e-5e7f-4a67-ad1c-4041c413a007cloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'anomalousToken'
    condition: selection

False Positives

We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.

References

MITRE ATT&CK

Tactics

TA0006 · Credential Access

Techniques

T1528 · Steal Application Access Token

Rule Metadata

Rule ID

6555754e-5e7f-4a67-ad1c-4041c413a007

Status

test

Level

high

Type

Detection

Created

Mon Aug 07

Author

Mark Morowczynski

Path

rules/cloud/azure/identity_protection/azure_identity_protection_anomalous_token.yml

Raw Tags

attack.t1528attack.credential-access

View on GitHub