Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'It is possible that a disabled user account is compromised and another account on the same IP is used to perform operations that are not typical for that user. The query filters the SigninLogs for entries where ResultType is indicates a disabled account and the TimeGenerated is within a defined time range. It then summarizes these entries by IPAddress and AppId, calculating various statistics such as number of login attempts, distinct UPNs, App IDs etc and joins these results with another set
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | 9adbd1c3-a4be-44ef-ac2f-503fd25692ee |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | InitialAccess, Persistence, Collection |
| Techniques | T1078, T1098, T1114 |
| Required Connectors | AzureActiveDirectory, Office365 |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
OfficeActivity |
✓ | ✗ | ? |
SigninLogs |
✓ | ✗ | ? |
The following connectors provide data for this content item:
| Connector | Solution |
|---|---|
| AzureActiveDirectory | Microsoft Entra ID |
Solutions: Microsoft Entra ID
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊