Rules: First Seen Successful Authentication From Unexpected Country
First Seen rule which triggers when there are at least two successful logins from the same user with different country codes indicating possible credential theft. It is recommended to add filtering criteria to the expression to reduce false positives, such as known VPN addresses.(If degradation issues occur it is recommendation implementing tuning around your expected network)
Detail | Value |
---|---|
Type | First Seen |
Category | Initial Access |
Apply Risk to Entities | user_username |
Signal Name | First Seen Successful Authentication From Unexpected Country: {{srcDevice_ip_countryCode}} for User: {{user_username}} |
Summary Expression | First Seen successful authentication From unexpected country for user: {{user_username}} |
Retention Window | 7776000000 |
Baseline Window | 3024000000 |
Baseline Type | PER_ENTITY |
Score/Severity | Static: 2 |
Enabled by Default | False |
Prototype | False |
Tags | _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0006, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1078.001, _mitreAttackTechnique:T1078.002, _mitreAttackTechnique:T1078.003, _mitreAttackTechnique:T1078.004, _mitreAttackTechnique:T1586, _mitreAttackTechnique:T1586.001, _mitreAttackTechnique:T1586.002 |
- Amazon AWS - CloudTrail
- Cisco Systems - ASA
- Cisco Systems - Identity Services Engine
- Citrix - ADC
- CrowdStrike - Falcon
- Duo Security - Multi-Factor Authentication (MFA)
- Fortinet - Fortigate
- Google - G Suite
- HP - Aruba ClearPass
- JFrog - Artifactory
- JumpCloud - IdP
- Linux - Linux OS Syslog
- Linux - Systemd Journal
- ManageEngine - adauditplus
- Microsoft - Azure
- Microsoft - Graph AD Reporting API
- Microsoft - Office 365
- Microsoft - Windows
- Okta - Single Sign-On
- OneLogin - OneLogin Single Sign-On
- Palo Alto Networks - GlobalProtect
- Palo Alto Networks - Next Generation Firewall
- PingIdentity - PingFederate
Origin | Field |
---|---|
Normalized Schema | normalizedAction |
Normalized Schema | objectType |
Normalized Schema | srcDevice_ip_countryCode |
Normalized Schema | srcDevice_ip_isInternal |
Normalized Schema | success |
Normalized Schema | user_username |