Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊
Identifies successful sign-ins from a country absent in the user's 30-day history, followed within one hour by a sensitive AuditLogs operation (role assignment, consent grant, credential addition, CA policy change) by the same user. Correlates geographic novelty with immediate high-value administrative action as a post-compromise signal. References: - https://learn.microsoft.com/azure/active-directory/reports-monitoring/reference-audit-activities - https://learn.microsoft.com/azure/active-direct
| Attribute | Value |
|---|---|
| Type | Hunting Query |
| Solution | Standalone Content |
| ID | 271f4bf9-e387-48ef-a537-654bd53ca8e8 |
| Tactics | InitialAccess, Persistence, PrivilegeEscalation |
| Techniques | T1078.004, T1098 |
| Required Connectors | AzureActiveDirectory |
| Source | [View on GitHub](https://github.com/Azure/Azure-Sentinel/blob/master/Hunting Queries/MultipleDataSources/SignInFromNewCountryWithSensitiveOperation.yaml) |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊