Query Details

Rule : Privileged Account Successful Sign-in from New ASN

Adminsignsinfronnewnetwork

Query

let admins=(IdentityInfo
| where AssignedRoles contains "admin" or GroupMembership has "Admin"
| summarize by tolower(AccountUPN));
//admins
let known_asns = (
SigninLogs
| where TimeGenerated between(ago(14d)..ago(1d))
| where ResultType == 0
| summarize by AutonomousSystemNumber);
//known_asns
SigninLogs
| where TimeGenerated > ago(1d)
| where ResultType == 0
| where tolower(UserPrincipalName) in (admins)
| where AutonomousSystemNumber !in (known_asns)
| project-reorder TimeGenerated, UserPrincipalName, UserAgent, IPAddress, AutonomousSystemNumber
| extend AccountName = tostring(split(UserPrincipalName, "@")[0]), AccountUPNSuffix = tostring(split(UserPrincipalName, "@")[1])

About this query

Rule : Privileged Account Successful Sign-in from New ASN

Description

That is useful for identifying suspicious admin access from a new network provider.

Detection Logic

  • Creates a list of all admin users
  • creates alist of all the ASNs used by the users in past 13 days
  • check if any new ASNs are there for any privilages user today which was not seen before

Tags

  • Privilege Escalation
  • Suspicious Activity

Search Query

References

Explanation

This query is designed to detect potentially suspicious activity by identifying privileged accounts (such as admin users) that have successfully signed in from a new network provider, which is represented by an Autonomous System Number (ASN). Here's a simplified breakdown of what the query does:

  1. Identify Admin Users: The query first creates a list of all users with admin roles by checking if their assigned roles or group memberships include "admin".

  2. Collect Known ASNs: It then gathers a list of all ASNs (network providers) that these admin users have used in the past 13 days for successful sign-ins.

  3. Detect New ASNs: The query checks for any successful sign-ins by these admin users in the last day (24 hours) from ASNs that were not seen in the previous 13 days.

  4. Output Details: For any such sign-ins from new ASNs, the query outputs details including the time of sign-in, user principal name, user agent, IP address, and the new ASN. It also extracts and displays the account name and domain from the user principal name.

This detection logic is useful for identifying potential privilege escalation or suspicious activity by highlighting admin access from unfamiliar network providers.

Details

Ali Hussein profile picture

Ali Hussein

Released: July 2, 2026

Tables

IdentityInfoSigninLogs

Keywords

IdentityInfoSigninLogsAccountUPNUserPrincipalNameAutonomousSystemNumberTimeGeneratedUserAgentIPAddressAccountNameAccountUPNSuffix

Operators

letcontainsorhassummarizetolowerbetweenagoin!inproject-reorderextendtostringsplit

Actions

GitHub