Detection rules › Kusto Query Language
Sign-ins from IPs that attempt sign-ins to disabled accounts (Uses Authentication Normalization)
'Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account. To use this analytics rule, make sure you have deployed the ASIM normalization parsers'
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Persistence | T1078 Valid Accounts, T1098 Account Manipulation |
| Privilege Escalation | T1078 Valid Accounts, T1098 Account Manipulation |
| Defense Evasion | T1078 Valid Accounts |
Event coverage
| Provider | Event ID | Title |
|---|---|---|
| Security-Auditing | 4624 | An account was successfully logged on. |
| Security-Auditing | 4625 | An account failed to log on. |
| Security-Auditing | 4634 | An account was logged off. |
Stages and Predicates
Stage 1: source
imAuthentication
Stage 2: where
EventResult eq "Failure"
Stage 3: where
EventResultDetails eq "User disabled"
Stage 4: summarize
Stage 5: sort
Stage 6: join
Stage 7: where
successfulAccountSigninCount is_not_null
Stage 8: project
Stage 9: sort
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
EventResult | eq |
|
EventResultDetails | eq |
|