Anomalous sign-in location by user account and authenticating application

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.

Attribute	Value
Type	Analytic Rule
Solution	Microsoft Entra ID
ID	`7cb8f77d-c52f-4e46-b82f-3cf2e106224a`
Severity	Medium
Status	Available
Kind	Scheduled
Tactics	InitialAccess
Techniques	T1078
Required Connectors	AzureActiveDirectory, AzureActiveDirectory
Source	View on GitHub

Tables Used

This content item queries data from the following tables:

Table	Transformations	Ingestion API	Lake-Only
`AADNonInteractiveUserSignInLogs`	✓	✗	?
`Anomalies`	✓	✓	?
`SigninLogs`	✓	✗	?

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

↑ Back to Analytic Rules · Back to Microsoft Entra ID