Adversaries may attempt to log on from unauthorized geographic locations to bypass access controls and gain unauthorized access to systems. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential credential theft or reconnaissance activities targeting specific regions.
KQL Query
let relevant_computers=
DeviceInfo
| where MachineGroup == "My_MachineGroup"
| summarize make_list(DeviceName);
let relevant_users=
IdentityInfo
| where MailAddress endswith "@allowed.users"
| summarize make_list(AccountName);
DeviceLogonEvents
| where Timestamp > ago(1d)
| where DeviceName in (relevant_computers)
| where AccountName !in (relevant_users)
| project DeviceName, AccountName
id: ef645ae9-da22-4ebe-b2ad-c3ad024b807c
name: Non_intended_user_logon
description: |
Under some circumstances it is only allowed that users
from country X logon to devices from country X.
This query finds logon from users from other countries than X.
The query requires a property to identify the users from
country X. In this example a specific Email Address.
requiredDataConnectors:
- connectorId: MicrosoftThreatProtection
dataTypes:
- DeviceInfo
- IdentityInfo
- DeviceLogonEvents
query: |
let relevant_computers=
DeviceInfo
| where MachineGroup == "My_MachineGroup"
| summarize make_list(DeviceName);
let relevant_users=
IdentityInfo
| where MailAddress endswith "@allowed.users"
| summarize make_list(AccountName);
DeviceLogonEvents
| where Timestamp > ago(1d)
| where DeviceName in (relevant_computers)
| where AccountName !in (relevant_users)
| project DeviceName, AccountName
| Sentinel Table | Notes |
|---|---|
DeviceLogonEvents | Ensure this data connector is enabled |
IdentityInfo | Ensure this data connector is enabled |
Scenario: A system administrator logs in from a different country to perform maintenance on a remote server.
Filter/Exclusion: Exclude logons from the admin’s IP address or include a field for user_role = "admin".
Scenario: A scheduled job runs on a server located in country X, but the job is configured to connect to a database in country Y.
Filter/Exclusion: Exclude logons initiated by scheduled tasks using a field like source = "scheduled_job" or job_name = "daily_backup".
Scenario: A user from country Y accesses a cloud-based management console (e.g., AWS Console) to manage resources in country X.
Filter/Exclusion: Exclude logons from known cloud management consoles using a field like tool = "AWS Console" or application = "cloud_management".
Scenario: A user from country Z accesses a company’s internal portal to submit a support ticket, but the portal is accessible globally.
Filter/Exclusion: Exclude logons from users with a role of support_ticket_submitter or include a field like request_type = "support_ticket".
Scenario: A user from country W logs in to a virtual private network (VPN) server located in country X to access internal resources.
Filter/Exclusion: Exclude logons that originate from a known VPN server IP or include a field like connection_type = "VPN" or vpn_server_ip = "192.168.1.100".