Anomalous sign-in location by user account and authenticating application

Hunt Hypothesis

An adversary may be using a compromised user account to sign in from an unexpected geographic location, leveraging the user’s credentials to access sensitive applications. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential account takeovers and limit lateral movement within the environment.

KQL Query


SigninLogs 
// Forces Log Analytics to recognize that the query should be run over full time range
| extend  locationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/", 
tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";") 
| project TimeGenerated, AppDisplayName, UserPrincipalName, locationString 
// Create time series 
| make-series dLocationCount = dcount(locationString) on TimeGenerated step 1d
by UserPrincipalName, AppDisplayName 
// Compute best fit line for each entry 
| extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) 
// Chart the 3 most interesting lines  
// A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application
| top 3 by Slope desc
| extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName 
| render timechart

Analytic Rule Definition

id: 8159c663-6724-41b8-9ae8-b328aa8d0c4c
name: Anomalous sign-in location by user account and authenticating application
description: |
  'This query examines Microsoft Entra ID sign-ins for each application and identifies the most anomalous change in a user's location profile. The goal is to detect user account compromise, possibly via a specific application vector.'
description_detailed: |
  'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Azure Active 
  Directory application and picks out the most anomalous change in location profile for a user within an 
  individual application. The intent is to hunt for user account compromise, possibly via a specific application
  vector.'
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |

  SigninLogs 
  // Forces Log Analytics to recognize that the query should be run over full time range
  | extend  locationString= strcat(tostring(LocationDetails["countryOrRegion"]), "/", 
  tostring(LocationDetails["state"]), "/", tostring(LocationDetails["city"]), ";") 
  | project TimeGenerated, AppDisplayName, UserPrincipalName, locationString 
  // Create time series 
  | make-series dLocationCount = dcount(locationString) on TimeGenerated step 1d
  by UserPrincipalName, AppDisplayName 
  // Compute best fit line for each entry 
  | extend (RSquare, Slope, Variance, RVariance, Interception, LineFit) = series_fit_line(dLocationCount) 
  // Chart the 3 most interesting lines  
  // A 0-value slope corresponds to an account being completely stable over time for a given Azure Active Directory application
  | top 3 by Slope desc
  | extend timestamp = TimeGenerated, AccountCustomEntity = UserPrincipalName 
  | render timechart

entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: AccountCustomEntity
version: 1.0.1
metadata:
    source:
        kind: Community
    author:
        name: Shain
    support:
        tier: Community
    categories:
        domains: [ "Security - Other", "Identity" ]

Required Data Sources

Sentinel Table	Notes
`SigninLogs`	Ensure this data connector is enabled

MITRE ATT&CK Context

Tactic: InitialAccess
Technique: T1078 — T1078

References

[Source Query](https://github.com/Azure/Azure-Sentinel/blob/main/Hunting Queries/SigninLogs/AnomalousUserAppSigninLocationIncrease.yaml)

False Positive Guidance

Scenario: Remote Administration Tool (RAT) Usage
Description: A system administrator uses a remote administration tool like PsExec or WinRM to manage servers from a different geographic location.
Filter/Exclusion: Exclude sign-ins associated with administrative tools or tasks, such as PsExec, WinRM, or Remote Desktop Services (RDP) from known admin IP ranges.
Scenario: Scheduled Job Execution
Description: A legitimate scheduled job runs via a service account, and the sign-in location is flagged as anomalous due to the job being executed from a different region.
Filter/Exclusion: Exclude sign-ins related to scheduled tasks or services, such as those associated with Task Scheduler, SQL Server Agent, or Windows Service accounts.
Scenario: Multi-Factor Authentication (MFA) Prompt from Different Location
Description: A user receives an MFA prompt from a different location after a legitimate sign-in, which is flagged as an anomalous location.
Filter/Exclusion: Exclude sign-ins that include MFA prompts from known trusted locations or devices, such as those associated with Microsoft Authenticator or Authenticator App from verified devices.
Scenario: Cloud Backup or Sync Tool Sign-In
Description: A backup or sync tool like Veeam, Dell Data Protection, or OneDrive signs in from a different location, triggering the rule.
Filter/Exclusion: Exclude sign-ins from backup or sync tools by checking the Client App or Application field, such as Veeam Backup, Dell Data Protection, or OneDrive.
Scenario: User Access from a Known Partner or Affiliate Location
Description: A user signs in from a location associated with a business partner or affiliate, which is flagged as anom