Same User - Successful logon for a given App and failure on another App within 1m and low distribution

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This identifies when a user account successfully logs onto a given App and within 1 minute fails to logon to a different App. This may indicate a malicious attempt at accessing disallowed Apps for discovery or potential lateral movement

Attribute	Value
Type	Hunting Query
Solution	Standalone Content
ID	bc17381e-07ee-48a2-931f-06a3d9e149c9
Tactics	Discovery, LateralMovement
Techniques	T1087, T1021
Required Connectors	AzureActiveDirectory
Source	[View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/SigninLogs/SuccessThenFail_SameUserDiffApp.yaml)

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Hunting Queries