Anomalous sign-in location by user account and authenticating application

Status: available
Severity: medium
Time window: 7d
Group by: AppDisplayName, AppId, CountOfLocations, TimeGenerated, UserId, UserPrincipalName
Source: github.com/Azure/Azure-Sentinel

'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.

MITRE ATT&CK coverage

Tactic	Techniques
Initial Access	`T1078` Valid Accounts

Rules detecting the same action

Other rules on this platform that filter on the same API call or operation.

Anomalous Single Factor Signin (Kusto)
Authentications of Privileged Accounts Outside of Expected Controls (Kusto)
Azure Many Failed SignIns (Panther)
Azure Portal sign in from another Azure Tenant (Kusto)
Azure Service Principal Sign-In Followed by Arc Cluster Credential Access (Elastic)
Azure SignIn via Legacy Authentication Protocol (Panther)
Detect non-admin requesting token for admin applications (Kusto)
Discovery Using AzureHound (Sigma)

Rule body kusto

id: 7cb8f77d-c52f-4e46-b82f-3cf2e106224a
name: Anomalous sign-in location by user account and authenticating application
description: |
  'This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an individual application.
severity: Medium
requiredDataConnectors:
  - connectorId: AzureActiveDirectory
    dataTypes:
      - SigninLogs
  - connectorId: AzureActiveDirectory
    dataTypes:
      - AADNonInteractiveUserSignInLogs
queryFrequency: 1d
queryPeriod: 7d
triggerOperator: gt
triggerThreshold: 0
status: Available
tactics:
  - InitialAccess
relevantTechniques:
  - T1078
query: |
  // Adjust this figure to adjust how sensitive this detection is
  let sensitivity = 2.5;
  // Adjust this figure to set the value that defines the requested estimation accuracy. The default value is 1. Possible values are 0, 1, 2, 3, 4.
  let dcountAccuracy = 1;
  let AuthEvents = materialize(
  union isfuzzy=True SigninLogs, AADNonInteractiveUserSignInLogs
  | where TimeGenerated between (ago(7d) .. now())
  | where ResultType == 0
  | extend LocationDetails = LocationDetails_dynamic
  | extend Location = strcat(LocationDetails.countryOrRegion, "-", LocationDetails.state,"-", LocationDetails.city)
  | where Location != "--");
  AuthEvents
  | summarize dcount(Location, dcountAccuracy) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d)
  | where dcount_Location > 2
  | make-series CountOfLocations = sum(dcount_Location) on TimeGenerated  step 1d by AppId, UserId
  | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit')
  | mv-expand CountOfLocations to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long)
  | where Anomalies > 0 and Baseline > 0
  | join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId
  | extend SignInDetails = bag_pack("TimeGenerated", TimeGenerated1, "Location", Location, "Source", IPAddress, "Device", DeviceDetail_dynamic)
  | summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeGenerated, AppId, AppDisplayName
  | extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]
entityMappings:
  - entityType: Account
    fieldMappings:
      - identifier: FullName
        columnName: UserPrincipalName
      - identifier: Name
        columnName: Name
      - identifier: UPNSuffix
        columnName: UPNSuffix
  - entityType: Account
    fieldMappings:
      - identifier: AadUserId
        columnName: UserId   
eventGroupingSettings:
  aggregationKind: SingleAlert
customDetails:
  Application: AppDisplayName
alertDetailsOverride:
  alertDisplayNameFormat: Anomalous sign-in location by {{UserPrincipalName}} to {{AppDisplayName}}
  alertDescriptionFormat: |
    This query over Microsoft Entra ID sign-in considers all user sign-ins for each Microsoft Entra ID application and picks out the most anomalous change in location profile for a user within an
    individual application. This has detected {{UserPrincipalName}} signing into {{AppDisplayName}} from {{CountOfLocations}} 
    different locations.
version: 2.0.5
kind: Scheduled

Stages and Predicates

Parameters

let sensitivity = 2.5;
let dcountAccuracy = 1;

union `isfuzzy=True` (2 sources)

Each leg below queries one source; the rule matches if any leg does. Sources: SigninLogs, AADNonInteractiveUserSignInLogs

Leg 1: `SigninLogs`

Leg 2: `AADNonInteractiveUserSignInLogs`

Applied to the combined result

| where TimeGenerated between (ago(7d) .. now()) | where ResultType == 0 | extend LocationDetails = LocationDetails_dynamic | extend Location = strcat(LocationDetails.countryOrRegion, "-", LocationDetails.state,"-", LocationDetails.city) | where Location != "--" | summarize dcount(Location, dcountAccuracy) by AppDisplayName, AppId, UserPrincipalName, UserId, bin(startofday(TimeGenerated), 1d) | where dcount_Location > 2 | make-series CountOfLocations = sum(dcount_Location) on TimeGenerated  step 1d by AppId, UserId | extend (Anomalies, Score, Baseline) = series_decompose_anomalies(CountOfLocations, sensitivity, -1, 'linefit') | mv-expand CountOfLocations to typeof(double), TimeGenerated to typeof(datetime), Anomalies to typeof(double), Score to typeof(double), Baseline to typeof(long) | where Anomalies > 0 and Baseline > 0 | join kind=inner( AuthEvents | extend TimeStamp = startofday(TimeGenerated)) on UserId, AppId | extend SignInDetails = bag_pack("TimeGenerated", TimeGenerated1, "Location", Location, "Source", IPAddress, "Device", DeviceDetail_dynamic) | summarize SignInDetailsSet=make_set(SignInDetails, 1000) by UserId, UserPrincipalName, CountOfLocations, TimeGenerated, AppId, AppDisplayName | extend Name = split(UserPrincipalName, "@")[0], UPNSuffix = split(UserPrincipalName, "@")[1]

Indicators

Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.

Field	Kind	Values
`Anomalies`	gt	`0` transforms: `cased`
`Baseline`	gt	`0` transforms: `cased`
`Location`	ne	`--` transforms: `cased`
`ResultType`	eq	`0` transforms: `cased`
`dcount_Location`	gt	`2` transforms: `cased`

Output fields

Fields the rule emits when it matches. Chronicle authors list these in the outcome block; they appear on the detection and $risk_score drives alerting. Sentinel / Defender XDR rules build them up through project / summarize / extend stages. Sentinel maps these into alert fields via entityMappings and customDetails; Defender XDR custom detections surface them as alert fields directly.

Field	Source
`AppDisplayName`	`summarize`
`AppId`	`summarize`
`CountOfLocations`	`summarize`
`SignInDetailsSet`	`summarize`
`TimeGenerated`	`summarize`
`UserId`	`summarize`
`UserPrincipalName`	`summarize`
`Name`	`extend`
`UPNSuffix`	`extend`

`j` / `k`	Scroll down / up
`d` / `u`	Half-page down / up
`gg` / `G`	Top / bottom
`h` / `l`	History back / forward
`f`	Follow link (`Shift` = new tab)
`/`	Focus search
`?`	Toggle this help
`↑` / `↓`	Navigate search results
`Enter`	Open highlighted result
`Esc`	Close results / dialog

`type:`	`events` / `rules` / `providers`
`vendor:`	`sigma` / `elastic` / `splunk` / `kusto` / `chronicle` (vendor name alone also works: `sigma:`, `kql:`, `secops:`…)
`tactic:`	TA-id, slug, or name: `credential_access`, `TA0006`
`technique:`	technique or sub-technique ID: `T1003`, `T1003.001` (alias `tech:`)
`severity:`	`critical` / `high` / `medium` / `low` / `informational` (alias `sev:`)
`risk_score`	Numeric comparison on the Elastic risk score (0 to 100): `risk_score>50`, `risk_score<=20`, `risk_score=99` (alias `risk`; Elastic rules only)
`stages:`	Rules with exactly N pipeline stages
`correlation:`	`single_event` / `sequence` / `alternatives` / `alternatives_cross_log` / `all_required` / `correlated`
`with:`	Co-occurrence event-id; stacks (`with:4624 with:4769`) to require all, while a comma list in one occurrence (`with:4624,4769`) is an either-or group. Implies multi-event
`like:`	Structural neighbors of a rule slug (equivalents + subsumption stricter / broader): `like:comsvcs_lsass_memory_dump-splunk-sysmon`
`groupby:`	Entity-grouping substring match against `group_by_keys`: `groupby:user`, `groupby:host`
`uses:`	Rules whose predicate tree touches the field (any kind, any value): `uses:CommandLine`
`excludes:`	Rules with top-level `not()` clauses on the field (FP whitelists): `excludes:ParentImage`
`field:` / `value:`	Predicate search; narrows rule cards to those with a matching leaf and drives the indicator tier. Unquoted = substring, wildcards allowed (`value:mimikatz`)
`indicator:`	Shorthand for `field:F value:V`: `indicator:Image=*\powershell.exe`
`kind:`	Filter by predicate kind. Narrows rule cards to those carrying a matching predicate leaf (`vendor:elastic kind:cidr_match`) and drives the indicator tier: `contains` / `starts_with` / `ends_with` / `regex` / `cidr` / `eq` / `in` … (operator aliases `op:`/`match:`)
`has:` / `no:`	`sample`, `field`, `notes`, `refs`, `trace`, `thirdparty`, `rule`, `pattern`, `timewindow`, `threshold`, `newterms`, `sigma`/`elastic`/`splunk`/`kusto`/`chronicle`
`-op:val`	Exclude matches; works on most operators but not `type:`/`like:`/`has:`/`no:` (use `no:<flag>` to exclude a rule flag): `tactic:execution -vendor:splunk`. Standalone `-kind:`/`-field:`/`-value:` drop every rule carrying a matching predicate leaf (`type:rules -kind:is_null`)
`field:"…"` / `value:"…"`	Quoted value = anchored exact match (also allows spaces): `value:"net user"`
`a,b`	Comma = OR inside one operator (`vendor:sigma,elastic`, `severity:high,critical`); repeating a facet merges the same way. `field:`/`value:` never split (literal commas)
`vendors:` / `stage:`	Singular and plural spellings fold to the canonical operator and value: `tactics:` = `tactic:`, `type:event` = `type:events`, `correlation:sequences` = `correlation:sequence`, `has:thresholds` = `has:threshold`
`"quoted phrase"`	Exact-match a multi-word phrase (free text)

Anomalous sign-in location by user account and authenticating application

MITRE ATT&CK coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

union `isfuzzy=True` (2 sources)

Leg 1: `SigninLogs`

Leg 2: `AADNonInteractiveUserSignInLogs`

Applied to the combined result

Indicators

Output fields

Keyboard shortcuts

Search operators

Anomalous sign-in location by user account and authenticating application

MITRE ATT&CK coverage

Rules detecting the same action

Rule body kusto

Stages and Predicates

Parameters

union isfuzzy=True (2 sources)

Leg 1: SigninLogs

Leg 2: AADNonInteractiveUserSignInLogs

Applied to the combined result

Indicators

Output fields

union `isfuzzy=True` (2 sources)

Leg 1: `SigninLogs`

Leg 2: `AADNonInteractiveUserSignInLogs`