security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
95793d73bd34b27653bc2f55cb80db402655ea01
blue-team-tools/rules-placeholder/cloud/azure/azure_ad_account_signin_outside_hours.yml
T
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-10-18 11:53:44 +02:00

26 lines
876 B
YAML
Raw Blame History

title: Authentication Occuring Outside Normal Business Hours
id: 160f24f3-e6cc-496d-8a3d-f5d06e4ad526
status: test
description: Detects user signs ins outside of normal business hours.
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-user-accounts#monitoring-for-failed-unusual-sign-ins
author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1'
date: 2022/08/11
tags:
- attack.persistence
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
selection:
Status: Sucess
# Countries you DO operate out of e,g GB, use list for mulitple
Location: '%LegitCountries%'
# outside normal working hours
Date: '%ClosingTime%'
condition: selection
falsepositives:
- User doing actual work outside of normal business hours.
level: low
Reference in New Issue View Git Blame Copy Permalink