Condition Logic Issue | Anomalous Sign-in Activity

[geopd]

Issue:

The query SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != "none" has a logical flaw that could lead to unintended results and potential false positives.

Condition 1: Status.errorCode == 0:

• This part of the query will include all records where the sign-in attempt was successful (errorCode is 0).

OR

Condition 2: Status.errorCode == 0 and RiskDetail != "none":

• This condition filters for successful sign-ins where the RiskDetail is something other than "none".

Kindly update the query logic to reflect the proper changes.

Azure-Sentinel/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml

Line 25 in cc35701

SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail !~ "none"

[geopd]

Hi @v-rusraut and @v-sudkharat, Hopes that you have looked in the raised logical flaw in the Hunting queries.

[v-rusraut]

Hi @geopd, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

[v-rusraut]

Hi @geopd, to reproduce the issue please share sample logs from SigninLogs table over email id : [email protected].
Thanks

[v-rusraut]

Hi @geopd, we are waiting for sample logs.
Thanks

[geopd]

Hi @v-rusraut, As SigninLogs contain sensitive data, I am unable to share them. However, the logs are not needed in this case, as the issue lies in the duplicated segment: "Status.errorCode == 0 or".

The logic should be updated to match logins with associated risk details:

(Status.errorCode == 0 and RiskDetail != "none").

Currently, if "Status.errorCode == 0 or" is used, all logins with 'BehaviorAnalytics' detections will be triggered. In contrast, updating the logic to "Status.errorCode == 0 and RiskDetail != "none" will only match sign-ins that have 'BehaviorAnalytics' detections and risk details from SigninLogs.

Hence, the false positives will be greatly reduced if the above-mentioned change is implemented.

[v-rusraut]

Hi @geopd, if you are getting expected result with below query then we can fix this issue and will update the package.

BehaviorAnalytics
 | where ActionType =~ "Sign-in"
 | where UsersInsights.IsNewAccount == True or UsersInsights.IsDormantAccount == True or ActivityInsights has "True"
 | join kind = inner (
 SigninLogs | where  Status.errorCode == 0 and RiskDetail !~ "none"
 ) on $left.SourceRecordId == $right._ItemId 
 | extend UserPrincipalName = iff(UserPrincipalName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserPrincipalName),
 UserName = iff(UserName has "#EXT#",replace_string(tostring(split(UserPrincipalName, "#")[0]),"_","@"),UserName)
 | project TimeGenerated, UserName, UserPrincipalName, UsersInsights, ActivityType, ActionType, ["Evidence"]=ActivityInsights, ResourceDisplayName, AppDisplayName, SourceIPAddress, SourceIPLocation, SourceDevice, DevicesInsights, ResourceId
 | extend Name=tostring(split(UserPrincipalName, "@")[0]), UPNSuffix=tostring(split(UserPrincipalName, "@")[1])
 | extend Account_0_Name = Name
 | extend Account_0_UPNSuffix = UPNSuffix
 | extend IP_0_Address = SourceIPAddress
 | extend AzureResource_0_ResourceId = ResourceId

Please let us know if you are getting expected result.
Thanks

[v-rusraut]

Hi @geopd,
We are waiting for your response.
Thanks

[v-rusraut]

Hi @geopd,
We have updated query and already raised PR, the changes will be available in solution soon. we are closing this issue from GitHub. If you still need support for this issue, feel free to re-open it any time. Thank you for your co-operation.