Privileged users logging in from a new ASN may indicate potential lateral movement or unauthorized access. SOC teams should proactively hunt for this behavior to identify and mitigate potential compromise of privileged accounts in their Azure Sentinel environment.
KQL Query
let admins=(IdentityInfo
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
let known_asns = (
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admins)
| where AutonomousSystemNumber !in (known_asns)
| project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
id: 55073036-bb86-47d3-a85a-b113ac3d9396
name: Privileged User Logon from new ASN
description: |
'Detects a successful logon by a privileged account from an ASN not logged in from in the last 14 days.
Monitor these logons to ensure they are legitimate and identify if there are any similar sign ins.'
severity: Medium
requiredDataConnectors:
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: BehaviorAnalytics
dataTypes:
- BehaviorAnalytics
- connectorId: BehaviorAnalytics
dataTypes:
- IdentityInfo
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
tactics:
- DefenseEvasion
relevantTechniques:
- T1078.004
tags:
- AADSecOpsGuide
query: |
let admins=(IdentityInfo
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
let known_asns = (
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admins)
| where AutonomousSystemNumber !in (known_asns)
| project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: IPAddress
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Research
support:
tier: Community
categories:
domains: [ "Identity", "Security - Others" ]
| Sentinel Table | Notes |
|---|---|
IdentityInfo | Ensure this data connector is enabled |
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled System Maintenance Job
Description: A privileged user (e.g., domain admin) runs a scheduled maintenance job that connects to a remote server using a new ASN (Autonomous System Number) as part of a routine patching process.
Filter/Exclusion: destination_ip in (list of known maintenance server IPs) or process_name contains "patching_tool.exe"
Scenario: Remote Administration via Secure Tunnel
Description: A privileged user establishes a secure tunnel (e.g., using OpenVPN or WireGuard) from a new ASN to access internal resources, which is part of a legitimate remote administration setup.
Filter/Exclusion: source_ip in (list of trusted tunnel endpoints) or user_agent contains "OpenVPN" or "WireGuard"
Scenario: Cloud Provider IP Range Update
Description: A privileged user logs in from a new ASN that belongs to a recently updated cloud provider IP range (e.g., AWS, Azure), which is now part of the allowed network range.
Filter/Exclusion: source_ip in (cloud provider's current IP ranges) or asn in (list of recently updated cloud ASNs)
Scenario: Admin Task Using Third-Party Tool
Description: An admin uses a third-party tool (e.g., Ansible or Puppet) to perform configuration management across multiple systems, which connects from a new ASN as part of a multi-cloud or hybrid environment.
Filter/Exclusion: process_name contains "ansible" or "puppet" or user_agent contains "Ansible" or "Puppet"
Scenario: User Accessing from a New ISP for Business Travel
Description: A privileged user is traveling and logs in from a new ASN provided by a temporary ISP, which is part of their legitimate remote access setup.
*Filter/