Detectionhightest

New Country

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Sun Sep 03adf9f4d2-559e-4f5c-95be-c28dff0b1476cloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'newCountry'
    condition: selection

False Positives

We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

adf9f4d2-559e-4f5c-95be-c28dff0b1476

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_new_coutry_region.yml

Raw Tags

attack.t1078attack.persistenceattack.defense-evasionattack.privilege-escalationattack.initial-access