-
Notifications
You must be signed in to change notification settings - Fork 3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Condition Logic Issue | Anomalous Sign-in Activity #11046
Comments
Hi @v-rusraut and @v-sudkharat, Hopes that you have looked in the raised logical flaw in the Hunting queries. |
Hi @geopd, Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks! |
Hi @geopd, to reproduce the issue please share sample logs from SigninLogs table over email id : [email protected]. |
Hi @geopd, we are waiting for sample logs. |
Hi @v-rusraut, As SigninLogs contain sensitive data, I am unable to share them. However, the logs are not needed in this case, as the issue lies in the duplicated segment: "Status.errorCode == 0 or". The logic should be updated to match logins with associated risk details: (Status.errorCode == 0 and RiskDetail != "none"). Currently, if "Status.errorCode == 0 or" is used, all logins with 'BehaviorAnalytics' detections will be triggered. In contrast, updating the logic to "Status.errorCode == 0 and RiskDetail != "none" will only match sign-ins that have 'BehaviorAnalytics' detections and risk details from SigninLogs. Hence, the false positives will be greatly reduced if the above-mentioned change is implemented. |
Hi @geopd, if you are getting expected result with below query then we can fix this issue and will update the package.
Please let us know if you are getting expected result. |
Hi @geopd, |
Hi @geopd, |
Issue:
The query SigninLogs | where Status.errorCode == 0 or Status.errorCode == 0 and RiskDetail != "none" has a logical flaw that could lead to unintended results and potential false positives.
Condition 1: Status.errorCode == 0:
OR
Condition 2: Status.errorCode == 0 and RiskDetail != "none":
Kindly update the query logic to reflect the proper changes.
Azure-Sentinel/Solutions/UEBA Essentials/Hunting Queries/Anomalous Sign-in Activity.yaml
Line 25 in cc35701
The text was updated successfully, but these errors were encountered: