LoFP LoFP / a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.

Techniques

Sample rules

AWS Successful Console Authentication From Multiple IPs

Description

The following analytic detects an AWS account successfully authenticating from multiple unique IP addresses within a 5-minute window. It leverages AWS CloudTrail logs, specifically monitoring ConsoleLogin events and counting distinct source IPs. This behavior is significant as it may indicate compromised credentials, potentially from a phishing attack, being used concurrently by an adversary and a legitimate user. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the AWS environment.

Detection logic

`cloudtrail` eventName = ConsoleLogin 
| bin span=5m _time 
| rename user_name as user 
| stats  dc(src) as distinct_ip_count values(src) as src values(user_agent) as user_agent values(dest) as dest by _time, user, signature, vendor_account, vendor_region, vendor_product 
| where distinct_ip_count>1 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `aws_successful_console_authentication_from_multiple_ips_filter`

Azure AD Successful Authentication From Different Ips

Description

The following analytic detects an Azure AD account successfully authenticating from multiple unique IP addresses within a 30-minute window. It leverages Azure AD SignInLogs to identify instances where the same user logs in from different IPs in a short time frame. This behavior is significant as it may indicate compromised credentials being used by an adversary, potentially following a phishing attack. If confirmed malicious, this activity could allow unauthorized access to corporate resources, leading to data breaches or further exploitation within the network.

Detection logic

`azure_monitor_aad` properties.authenticationDetails{}.succeeded=true category=SignInLogs 
| rename properties.* as * 
| bucket span=30m _time 
| fillnull 
| stats count min(_time) as firstTime max(_time) as lastTime dc(src) AS unique_ips values(dest) as dest values(src) as src by user vendor_account vendor_product signature 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| where unique_ips > 1 
| `azure_ad_successful_authentication_from_different_ips_filter`