Rule : Privileged Account Successful Sign-in from New ASN
Adminsignsinfronnewnetwork
Query
let admins=(IdentityInfo
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
//admins
let known_asns = (
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
//known_asns
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admins)
| where AutonomousSystemNumber !in (known_asns)
| project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])About this query
Rule : Privileged Account Successful Sign-in from New ASN
Description
That is useful for identifying suspicious admin access from a new network provider.
Detection Logic
- Creates a list of all admin users
- creates alist of all the ASNs used by the users in past 13 days
- check if any new ASNs are there for any privilages user today which was not seen before
Tags
- Privilege Escalation
- Suspicious Activity
Search Query
References
Explanation
This query is designed to detect potentially suspicious activity by identifying privileged accounts (such as admin users) that have successfully signed in from a new network provider, which is represented by an Autonomous System Number (ASN). Here's a simplified breakdown of what the query does:
-
Identify Admin Users: The query first creates a list of all users with admin roles by checking if their assigned roles or group memberships include "admin".
-
Collect Known ASNs: It then gathers a list of all ASNs (network providers) that these admin users have used in the past 13 days for successful sign-ins.
-
Detect New ASNs: The query checks for any successful sign-ins by these admin users in the last day (24 hours) from ASNs that were not seen in the previous 13 days.
-
Output Details: For any such sign-ins from new ASNs, the query outputs details including the time of sign-in, user principal name, user agent, IP address, and the new ASN. It also extracts and displays the account name and domain from the user principal name.
This detection logic is useful for identifying potential privilege escalation or suspicious activity by highlighting admin access from unfamiliar network providers.
Details

Ali Hussein
Released: July 2, 2026
Tables
Keywords
Operators