Query Details
Potential False Positives Related To Anomalous Token Alerts
Query
**Detecting Potential False Positives related to 'Anomalous Token' alerts** **Description:** We are on vacation period so is more than normal that our users are connected from different/unusual countries and the new locations trigger new tickets. However, the time to verify every alert to ensure that there is not malicious or suspicious action behind, is time consuming. Based on this approach, I decided to verify if from the new reported country generated by a new "Anomalous Token" ticket, the affected user has been able to sign-in successfully using MFA. ``` CountryCodes let CountryList = externaldata(Country:string, Code:string) [h@'https://raw.githubusercontent.com/Sergio-Albea-Git/-Defender-XDR-/main/Security-Lists/country_list.csv'] with (format="csv", ignoreFirstRecord=true, delimiter=","); AlertEvidence | where Timestamp > ago(1d) | where Title has "Anomalous Token" // joining SignIn table to verify if the user has Sign-in from the reported country | join kind=inner ( AADSignInEventsBeta) on $left.AccountUpn == $right.AccountUpn | extend CountrySigned = geo_info_from_ip_address(IPAddress).country | where AuthenticationRequirement has "multiFactorAuthentication" | extend DFXDR_Alerted_Country = Country | extend Country_User_Sign_in = tostring(CountrySigned) | join kind=inner (CountryList) on $left.Country_User_Sign_in == $right.Country // identifying in a new column, Real and False positives depending on weather the IncidentAlertedCountry and User Sign-in country is the same | extend FalsePositive = iff(DFXDR_Alerted_Country == Code,"FP","Review") | summarize by AccountUpn,FalsePositive,Country_User_Sign_in,Code,DFXDR_Alerted_Country, AuthenticationRequirement | order by AccountUpn ```
Explanation
This query is designed to help identify potential false positives in "Anomalous Token" alerts during a vacation period when users might be logging in from unusual locations. Here's a simplified breakdown of what the query does:
- Load Country Codes: It loads a list of country codes from an external CSV file.
- Filter Alerts: It filters alerts from the last day that have the title "Anomalous Token".
- Join Sign-In Data: It joins these alerts with sign-in events to check if the user has successfully signed in from the reported country using Multi-Factor Authentication (MFA).
- Determine Country: It determines the country from which the user signed in based on their IP address.
- Match Countries: It matches the country from the sign-in event with the country code list.
- Identify False Positives: It creates a new column to mark alerts as "False Positive" (FP) if the alerted country and the sign-in country match, otherwise it marks them for "Review".
- Summarize Results: It summarizes the results by user, indicating whether each alert is a false positive or needs review, and orders the results by user.
In essence, the query helps to quickly identify which "Anomalous Token" alerts can be considered false positives because the user successfully signed in from the reported country using MFA, thus reducing the time needed to manually verify each alert.
Details
Sergio Albea
Released: August 13, 2024
Tables
CountryCodesAlertEvidenceAADSignInEventsBeta
Keywords
AlertsUsersCountriesAuthentication
Operators
letexternaldatah@withformatignoreFirstRecorddelimiterwhereagohasjoinkindonextendgeo_info_from_ip_addresstostringiffsummarizebyorder