Merge pull request Azure#13191 from shajee988/update-sentinel-rule(AnomalousSingleFactorSignin)

v-atulyadav · web-flow · commit 20ec6fef2098 · 2025-11-25T11:10:23.000+05:30
Update sentinel rule(anomalous single factor signin)
diff --git a/Detections/SigninLogs/AnomalousSingleFactorSignin.yaml b/Detections/SigninLogs/AnomalousSingleFactorSignin.yaml
@@ -22,16 +22,16 @@ tags:
 query: |
   let known_locations = (SigninLogs
     | where TimeGenerated between(ago(7d)..ago(1d))
-    | where ResultType == 0
+    | where ResultType != 0
     | extend LocationDetail = strcat(Location, "-", LocationDetails.state)
     | summarize by LocationDetail);
   let known_asn = (SigninLogs
     | where TimeGenerated between(ago(7d)..ago(1d))
-    | where ResultType == 0
+    | where ResultType != 0
     | summarize by AutonomousSystemNumber);
   SigninLogs
   | where TimeGenerated > ago(1d)
-  | where ResultType == 0
+  | where ResultType != 0
   | where isempty(DeviceDetail.deviceId)
   | where AuthenticationRequirement == "singleFactorAuthentication"
   | extend LocationParsed = parse_json(LocationDetails), DeviceParsed = parse_json(DeviceDetail)
@@ -60,7 +60,7 @@ entityMappings:
         columnName: AppId
       - identifier: Name
         columnName: AppDisplayName
-version: 1.0.4
+version: 1.0.5
 kind: Scheduled
 metadata:
     source:
