Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Switch sign-in and deletion time comparison, and add ResultType sign-in filter for SuspiciousLoginfromDeletedExternalIdentities #8913

Merged
merged 1 commit into from
Sep 4, 2023
Merged

Switch sign-in and deletion time comparison, and add ResultType sign-in filter for SuspiciousLoginfromDeletedExternalIdentities #8913

merged 1 commit into from
Sep 4, 2023

Conversation

eroll-chorus
Copy link
Contributor

Change(s):

  • For rule SuspiciousLoginfromDeletedExternalIdentities (Suspicious Login from deleted guest account):
    • added a filter for successful sign-ins
    • flipped the comparison for the sign-in and deletion times around

Reason for Change(s):

  • The rule intends to detect successful sign-ins, but it does not limit results based on sign-in success or failure. As per SigninLogs, a ResultType of 0 indicates a successful sign-in, so checking for this will limit results to sign-in success only
  • The rule intends to detect when a successful sign-in occurs after the account was deleted; however, the current logic actually checks that the deletion occurs after the sign-in
    • (See below for examples of the issue vs. proposed solution)

Version Updated:

  • Yes

Testing Completed:

  • Yes

Checked that the validations are passing and have addressed any issues that are present:

  • Yes

Work done in collaboration with @kstew-chorus and @smant-chorus

Delete_ and SigninLogs_TimeGenerated Check

Issue with Current Logic

Example Query

let Delete_TimeGenerated = datetime(2023-08-30T14:00:00.000Z);  // Deletion at 14:00 on 30th August 2023
let SigninLogs_TimeGenerated = datetime(2023-08-30T15:00:00.000Z);  // Sign-in at 15:00 on 30th August 2023 (i.e. 1 hour after deletion)
print SignInAfterDeletion = Delete_TimeGenerated > SigninLogs_TimeGenerated

Results

image

Even though the sign-in occurs after the deletion, the check returns false because Delete_TimeGenerated > SigninLogs_TimeGenerated corresponds to "return true when the deletion occurs after the sign-in". As the purpose of the detection is to identify sign-ins that occur from deleted accounts, the current logic is resulting in a false negative condition for this activity.

Proposed Solution

Example Query

let Delete_TimeGenerated = datetime(2023-08-30T14:00:00.000Z);  // Deletion at 14:00 on 30th August 2023
let SigninLogs_TimeGenerated = datetime(2023-08-30T15:00:00.000Z);  // Sign-in at 15:00 on 30th August 2023 (i.e. 1 hour after deletion)
print SignInAfterDeletion = SigninLogs_TimeGenerated > Delete_TimeGenerated

Results

image

By switching the check around to SigninLogs_TimeGenerated > Delete_TimeGenerated, it is now correctly checking if the sign-in occurs after the deletion.

@eroll-chorus
Switch sign-in and deletion time comparison, and add ResultType sign-…
e98d993 
…in filter for SuspiciousLoginfromDeletedExternalIdentities
@v-atulyadav v-atulyadav self-assigned this Aug 31, 2023
@eroll-chorus eroll-chorus marked this pull request as ready for review August 31, 2023 11:08
@eroll-chorus eroll-chorus requested review from a team as code owners August 31, 2023 11:08
@v-atulyadav v-atulyadav added Detection Detection specialty review needed and removed draft labels Sep 4, 2023
@v-atulyadav v-atulyadav merged commit 65127cf into Azure:master Sep 4, 2023
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@v-atulyadav v-atulyadav v-atulyadav approved these changes

Assignees

@v-atulyadav v-atulyadav

Labels
Detection Detection specialty review needed
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@eroll-chorus @v-atulyadav