question

AWallace-5887 avatar image
0 Votes"
AWallace-5887 asked RaghavendraNarasegowda-1715 commented

Out of the Box "Sign-ins from IPs that attempt sign-ins to disabled accounts" Analytic: Unexplained Result

We are using the out of the box "Sign-ins from IPs that attempt sign-ins to disabled accounts" analytic provided by Microsoft.

Some of the resulting incidents make sense. For example, a user is returning from LOA. They try to login but their account has not yet been re-enabled. They call the Service Desk. It get re-enabled. They log in.

Others do not see to make sense. The account is disabled because the user is no longer with the company. We can see in ADAudit that the account in the Event details was not re-enabled after their disablement. Also, Azure AD's sign ins shows no successful logon after the failed logon when filtering by the IP in the alert. The only think I can think of is maybe one last successful logon to their end user devices where their password is cached, but I am not certain where to look to prove that out.

Questions:
1. Where do I see more about that success that Sentinel is alerting on?
2. Has anyone experienced this with the out of the box "Sign-ins from IPs that attempt sign-ins to disabled accounts" analytic? Is there something I am overlooking, or does the analytic have a bug built into the query that I need to correct?

microsoft-sentinelazure-ad-sign-in-logs
· 3
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

How long was the account disabled for and how long after did the alert show up?

You should be able to view the details in the audit log itself. I'm checking with the Sentinel team to see if anyone else has experienced this.

0 Votes 0 ·

Thank you. The user was disabled by an admin on Mar 02,2021 at 01:03:04 PM. Per ADAudit, the account was not enabled after that. Based on the event, on 3/2/2021 at 7:19:57.568 PM, someone tried to log into Microsoft Teams as the user from their area of town - probably them before turning off their computer one last time. After that, I could find no successful logon attempts the IP with the failure or for that user ID from any other IP.

0 Votes 0 ·

0 Answers