Sample rules
New Country
- source: sigma
- technicques:
- t1078
Description
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Detection logic
condition: selection
selection:
riskEventType: newCountry
Atypical Travel
- source: sigma
- technicques:
- t1078
Description
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Detection logic
condition: selection
selection:
riskEventType: unlikelyTravel
Suspicious Browser Activity
- source: sigma
- technicques:
- t1078
Description
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser
Detection logic
condition: selection
selection:
riskEventType: suspiciousBrowser
Password Spray Activity
- source: sigma
- technicques:
- t1110
Description
Indicates that a password spray attack has been successfully performed.
Detection logic
condition: selection
selection:
riskEventType: passwordSpray
Anomalous Token
- source: sigma
- technicques:
- t1528
Description
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Detection logic
condition: selection
selection:
riskEventType: anomalousToken
Malicious IP Address Sign-In Failure Rate
- source: sigma
- technicques:
- t1090
Description
Indicates sign-in from a malicious IP address based on high failure rates.
Detection logic
condition: selection
selection:
riskEventType: maliciousIPAddress
SAML Token Issuer Anomaly
- source: sigma
- technicques:
- t1606
Description
Indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns
Detection logic
condition: selection
selection:
riskEventType: tokenIssuerAnomaly
Activity From Anonymous IP Address
- source: sigma
- technicques:
- t1078
Description
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Detection logic
condition: selection
selection:
riskEventType: riskyIPAddress
Malicious IP Address Sign-In Suspicious
- source: sigma
- technicques:
- t1090
Description
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Detection logic
condition: selection
selection:
riskEventType: suspiciousIPAddress
Azure AD Threat Intelligence
- source: sigma
- technicques:
- t1078
Description
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Detection logic
condition: selection
selection:
riskEventType: investigationsThreatIntelligence
Anomalous User Activity
- source: sigma
- technicques:
- t1098
Description
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Detection logic
condition: selection
selection:
riskEventType: anomalousUserActivity
Anonymous IP Address
- source: sigma
- technicques:
- t1528
Description
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Detection logic
condition: selection
selection:
riskEventType: anonymizedIPAddress