Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query searches for logins with an expired access credential (for example an expired cookie). It then matches the IP address from which the expired credential access occurred with the IP addresses of successful logins. If there are logins with expired credentials, but no successful logins from an IP, this might indicate an attacker has copied the authentication cookie and is re-using it on another machine.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | FalconFriday |
| ID | 433c3b0a-7278-4d74-b137-963ac6f9a7e7 |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | CredentialAccess |
| Techniques | T1528 |
| Required Connectors | AzureActiveDirectory |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
SigninLogs |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊