Query Details

Successful Sign In From New Country

Query

let KnownCountries = AADSignInEventsBeta
    | where Timestamp > ago(30d) and Timestamp < ago(3d)
    // Only filter on successful logins
    | where ErrorCode == 0
    | where isnotempty(Country)
    | distinct Country;
AADSignInEventsBeta
| where Timestamp > ago(3d)
| where ErrorCode == 0
| where isnotempty(Country)
| where Country !in (KnownCountries)
| project Timestamp, Country, UserAgent, ErrorCode, AccountObjectId,AccountDisplayName, IPAddress

About this query

Successful signin from new country

Query Information

Description

This query detects successful signins from countries that have not been seen before. Depending on where you run this query the lookback period is different, M365D uses 30 days and Sentinel uses 90 days. If you have longer retention periods it is recommended to use longer thresholds.

Risk

An adversary signs in from a new country to your azure AD tenant.

Defender XDR

Sentinel

let KnownCountries = SigninLogs
  | where TimeGenerated > ago(90d) and TimeGenerated < ago(3d)
    //Only filter on successful logins
    | where ResultType == 0
    | where isnotempty(Location)
    | distinct Location;
SigninLogs
| where TimeGenerated > ago(3d)
| where ResultType == 0
| where isnotempty(Location)
| where Location !in (KnownCountries)
| project TimeGenerated, Location, UserAgent, ResultType, Identity, UserPrincipalName, IPAddress

Explanation

This query is designed to identify successful sign-ins to Azure Active Directory from countries that have not been previously observed within a specified timeframe. The purpose is to detect potentially suspicious activity, such as an unauthorized user accessing an account from a new location.

Here's a simplified breakdown:

  1. Purpose: The query aims to find successful login attempts from countries that have not been seen before in the user's login history.

  2. Data Source: The query uses sign-in logs from Azure Active Directory. There are two versions of the query: one for Microsoft 365 Defender (M365D) and another for Microsoft Sentinel.

  3. Lookback Period:

    • M365D: Considers login data from the past 30 days, excluding the last 3 days.
    • Sentinel: Considers login data from the past 90 days, excluding the last 3 days.
  4. Process:

    • First, it identifies all countries from which successful logins have occurred within the lookback period (excluding the last 3 days).
    • Then, it checks for any successful logins in the last 3 days from countries not in the previously identified list.
  5. Output: The query outputs details of these new-country logins, including the timestamp, country, user agent, error code, account information, and IP address.

  6. Risk: The detection of a login from a new country could indicate unauthorized access, suggesting that an adversary might be attempting to access the account from a different location.

In summary, this query helps in identifying potentially unauthorized access attempts by flagging successful logins from new countries, which could be indicative of a security risk.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

AADSignInEventsBetaSigninLogs

Keywords

SigninEventsUserCountryLocationTimestampIPAddressAccountIdentityUserAgentErrorCode

Operators

letwhereagoandisnotemptydistinctinproject

Actions

GitHub