Adversaries may use compromised accounts to log in from multiple geographic locations within a short timeframe to evade detection and move laterally within the network. SOC teams should proactively hunt for this behavior in Azure Sentinel to identify potential account compromise and lateral movement tactics early.
KQL Query
let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated > timeframe
| where EventType == 'Logon'
and EventResult == 'Success'
| where isnotempty(SrcGeoCountry)
| summarize
StartTime = min(TimeGenerated)
, EndTime = max(TimeGenerated)
, Vendors = make_set(EventVendor, 128)
, Products = make_set(EventProduct, 128)
, NumOfCountries = dcount(SrcGeoCountry)
, Countries = make_set(SrcGeoCountry, 128)
by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries >= threshold
| where TargetUserType !in ("Application", "Service", "System", "Other", "Machine", "ServicePrincipal")
| extend
Name = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 0)[0])
, TargetUsername
),
UPNSuffix = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 1)[0])
, ""
)
id: 09ec8fa2-b25f-4696-bfae-05a7b85d7b9e
name: User login from different countries within 3 hours (Uses Authentication Normalization)
description: |
'This query searches for successful user logins from different countries within 3 hours.
To use this analytics rule, make sure you have deployed the [ASIM normalization parsers](https://aka.ms/ASimAuthentication)'
severity: High
requiredDataConnectors: []
queryFrequency: 3h
queryPeriod: 3h
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
tags:
- Id: 2954d424-f786-4677-9ffc-c24c44c6e7d5
version: 1.0.0
- Schema: ASIMAuthentication
SchemaVersion: 0.1.0
query: |
let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated > timeframe
| where EventType == 'Logon'
and EventResult == 'Success'
| where isnotempty(SrcGeoCountry)
| summarize
StartTime = min(TimeGenerated)
, EndTime = max(TimeGenerated)
, Vendors = make_set(EventVendor, 128)
, Products = make_set(EventProduct, 128)
, NumOfCountries = dcount(SrcGeoCountry)
, Countries = make_set(SrcGeoCountry, 128)
by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries >= threshold
| where TargetUserType !in ("Application", "Service", "System", "Other", "Machine", "ServicePrincipal")
| extend
Name = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 0)[0])
, TargetUsername
),
UPNSuffix = iif(
TargetUsername contains "@"
, tostring(split(TargetUsername, '@', 1)[0])
, ""
)
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: TargetUserName
- identifier: Name
columnName: Name
- identifier: UPNSuffix
columnName: UPNSuffix
version: 1.2.5
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Ofer Shezaf
support:
tier: Community
categories:
domains: [ "Security - Network" ]
| Sentinel Table | Notes |
|---|---|
imAuthentication | Ensure this data connector is enabled |
Adversaries may obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion. Compromised credentials may be used to by
Scenario: Remote Administrator Performing Scheduled Job from Different Country
Description: An admin uses a remote access tool like Microsoft Remote Desktop to manage a server in a different country while performing a scheduled job (e.g., nightly backup using Veeam Backup & Replication).
Filter/Exclusion: Exclude logins associated with scheduled tasks or system accounts using the task_name or user_principal_name field.
Scenario: Multi-Factor Authentication (MFA) Flow from Different Countries
Description: A user initiates MFA authentication from a different country as part of the login process, which is legitimate due to the user traveling or using a roaming device.
Filter/Exclusion: Exclude logins where the authentication method includes MFA using the authentication_method field, or filter by user risk level if available.
Scenario: Log Collection from a Centralized Logging Server in a Different Country
Description: A SIEM system (e.g., Splunk, ELK Stack) is configured to collect logs from multiple regional servers, causing logins from different countries within a short time frame.
Filter/Exclusion: Exclude logins originating from log collection servers using the source_ip or source_hostname field, or filter by system accounts.
Scenario: User Accessing Cloud Services from a Different Country via a VPN
Description: A user accesses cloud services (e.g., Azure Portal, AWS Console) from a different country using a VPN service (e.g., Cisco AnyConnect, OpenVPN) for secure remote access.
Filter/Exclusion: Exclude logins where the source IP is associated with a known VPN provider or use the vpn_connection field to identify such sessions.
**