security-tools/blue-team-tools
1
0
Fork 0
Code Issues Pull Requests Actions 45 Packages Projects Releases Wiki Activity
Files
95793d73bd34b27653bc2f55cb80db402655ea01
blue-team-tools/rules-placeholder/cloud/azure/azure_privileged_account_signin_outside_hours.yml
T
Nasreddine Bencherchali 95793d73bd Merge PR #4482 From @nasbench - Add New Automation Workflows 
chore: update workflows and add quality of life updates and automation to the repository

---------

Co-authored-by: phantinuss <79651203+phantinuss@users.noreply.github.com>
2023-10-18 11:53:44 +02:00

28 lines
1.0 KiB
YAML
Raw Blame History

title: Privilege Role Sign-In Outside Of Normal Hours
id: e927a2f5-e7af-424f-ace7-70ebb49e8976
status: test
description: Detects account sign ins outside of normal hours or uncommon locations. Administrator accounts should be investigated
references:
- https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/security-operations-privileged-accounts#things-to-monitor
author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H'
date: 2022/08/11
tags:
- attack.persistence
- attack.t1078
logsource:
product: azure
service: signinlogs
detection:
# You need to tune the rule for your enrivonnement before use
selection:
Status: Sucess
# Countries you DO operate out of e,g GB, use list for mulitple
Location: '%LegitCountries%'
# outside normal working hours
Date: '%ClosingTime%'
Initiatied.By: '%ApprovedUserUpn%'
condition: selection
falsepositives:
- An admin doing actual work outside of normal business hours
level: high
Reference in New Issue View Git Blame Copy Permalink