LoFP / legitimate first-time use of a new network: isp change, new vpn provider, travel to a region using a different mobile carrier, new home office.

Techniques

• T1078
• T1528
• T1557

Sample rules

Google Workspace User Login with Unusual ASN

• source: elastic
• technicques:
  • T1078
  • T1528
  • T1557

Description

Detects the first time a Google Workspace user successfully signs in from a given source ASN within a 14-day historical window. Most users have a stable set of egress ASNs (home ISP, corporate VPN, mobile carrier). A new ASN for a user is a meaningful anomaly as it surfaces ISP changes and travel, but also catches AiTM phishing-kit relays whose egress ASN was never previously associated with the user.

Detection logic

data_stream.dataset: ("google_workspace.login" or "google_workspace.token") and
    event.action: ("login_success" or "authorize") and
    source.as.number: * and
    user.email: *