KQL Search

Query Details

HomeAI ToolsDevice Query

Successful Sign In From New Country

Query

# Successful signin from new country

## Query Information

#### Description
This query detects successful signins from countries that have not been seen before. Depending on where you run this query the lookback period is different, M365D uses 30 days and Sentinel uses 90 days. If you have longer retention periods it is recommended to use longer thresholds.

#### Risk
An adversary signs in from a new country to your azure AD tenant.

## Defender For Endpoint
```KQL
let KnownCountries = AADSignInEventsBeta
    | where Timestamp > ago(30d) and Timestamp < ago(3d)
    // Only filter on successful logins
    | where ErrorCode == 0
    | where isnotempty(Country)
    | distinct Country;
AADSignInEventsBeta
| where Timestamp > ago(3d)
| where ErrorCode == 0
| where isnotempty(Country)
| where Country !in (KnownCountries)
| project Timestamp, Country, UserAgent, ErrorCode, AccountObjectId,AccountDisplayName, IPAddress
```

## Sentinel
```KQL
let KnownCountries = SigninLogs
  | where TimeGenerated > ago(90d) and TimeGenerated < ago(3d)
    //Only filter on successful logins
    | where ResultType == 0
    | where isnotempty(Location)
    | distinct Location;
SigninLogs
| where TimeGenerated > ago(3d)
| where ResultType == 0
| where isnotempty(Location)
| where Location !in (KnownCountries)
| project TimeGenerated, Location, UserAgent, ResultType, Identity, UserPrincipalName, IPAddress
```

Explanation

This query detects successful sign-ins from countries that have not been seen before. It checks for successful logins within a specific time frame (30 days for M365D and 90 days for Sentinel) and filters out known countries. The query returns the timestamp, country, user agent, error code, account object ID, account display name, and IP address for these sign-ins. The purpose of this query is to identify any potential risk of an adversary signing in from a new country to your Azure AD tenant.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 25, 2023

Tables

AADSignInEventsBetaSigninLogs

Keywords

Devices,Intune,User,SuccessfulSignin,Country,AzureAD,Tenant,Risk,Adversary,DefenderForEndpoint,Sentinel,KnownCountries,AADSignInEventsBeta,Timestamp,ErrorCode,AccountObjectId,AccountDisplayName,IPAddress,SigninLogs,TimeGenerated,ResultType,Identity,UserPrincipalName

Operators

whereagodistinctisnotemptyinproject

Actions