Detectionlowtest

Measurable Increase Of Successful Authentications

Detects when successful sign-ins increased by 10% or greater.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Mike Duddington, Tim SheltonCreated Thu Aug 11Updated Thu Aug 1867d5f8fc-8325-44e4-8f5f-7c0ac07cb5aecloud

Log Source

Azuresigninlogs

ProductAzure← raw: azure

Servicesigninlogs← raw: signinlogs

Detection Logic

detection:
    selection:
        Status: Success
        Count: "<10%"
    condition: selection

False Positives

Increase of users in the environment

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

67d5f8fc-8325-44e4-8f5f-7c0ac07cb5ae

Status

test

Level

low

Type

Detection

Created

Thu Aug 11

Modified

Thu Aug 18

Author

Path

rules/cloud/azure/signin_logs/azure_ad_auth_sucess_increase.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.initial-accessattack.defense-evasionattack.t1078