(UB3.C2.K1 – Sign-in attempts from anywhere)
New Threat Detection: Monitoring Sign-In Attempts from Airport Networks
As cyber threats continue to evolve, it is crucial to enhance our security posture to protect sensitive information and accounts. This latest threat detection initiative focuses on monitoring sign-in attempts originating from airport network connections.
Why Airport Networks?
Airport Wi-Fi networks are notoriously vulnerable, often lacking robust security measures. Cybercriminals may exploit these connections to conduct malicious activities, including account compromise through credential theft or man-in-the-middle attacks. By monitoring sign-in attempts from these networks, we can better understand the potential risks associated with unauthorized access to our systems.
Possible Threat Detection Mechanisms:
- Traveling Tracking: Utilize IP geolocation to assess the legitimacy of sign-in attempts. If an account experiences a sign-in from an airport, we can track them to verify if is traveling to risk countries where their users, device or data could be in risk.
let Airport_Data = externaldata(AirportName:string, maxLatitude: decimal, minLatitude:decimal, maxLongitude:decimal, minLongitude:decimal,iata:string, country: string,maxlatindicator:int)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/Airport_polygon.csv"] with (format="csv", ignoreFirstRecord=True);
AADSignInEventsBeta
// filtering by just success sign attempts
| where ErrorCode == 0
| extend Latitude0 = todecimal(Latitude), Longitude0 = todecimal(Longitude)
| extend IntegerPart = toint(Latitude0)
| join kind=inner (Airport_Data) on $left.IntegerPart == $right.maxlatindicator
| where Latitude0 < minLatitude and Latitude0 < maxLatitude and Longitude0 > minLongitude and Longitude0 < maxLongitude
| summarize make_set(AirportName), make_set(country),dcount(AirportName) by AccountDisplayName2. Anomaly Detection: Unusual login patterns, such as geographical inconsistencies or atypical access times, password spray, and other attacks from Airports connections by bad actors.
let AADTSErrorCode = externaldata(ErrorCode:int, Description:string)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/AADSTS%20error%20codes.csv"] with (format="csv", ignoreFirstRecord=True);
let Airport_Data = externaldata(AirportName:string, maxLatitude: decimal, minLatitude:decimal, maxLongitude:decimal, minLongitude:decimal,iata:string, country: string,maxlatindicator:int)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/Airport_polygon.csv"] with (format="csv", ignoreFirstRecord=True);
AADSignInEventsBeta
| extend Latitude0 = todecimal(Latitude), Longitude0 = todecimal(Longitude)
| extend IntegerPart = toint(Latitude0)
| join kind=inner (Airport_Data) on $left.IntegerPart == $right.maxlatindicator
| where Latitude0 < minLatitude and Latitude0 < maxLatitude and Longitude0 > minLongitude and Longitude0 < maxLongitude
| join kind=inner ( AADTSErrorCode) on $left.ErrorCode == $right.ErrorCode
| summarize count() by ErrorCode, Description, AirportName, Country3. User Behavior Analytics (UBA): Monitor user behavior to establish a baseline of typical activity. Significant deviations from this baseline, particularly from high-risk environments like airports, can prompt immediate alerts for further investigation.
let Airport_Data = externaldata(AirportName:string, maxLatitude: decimal, minLatitude:decimal, maxLongitude:decimal, minLongitude:decimal,iata:string, country: string,maxlatindicator:int)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/Airport_polygon.csv"] with (format="csv", ignoreFirstRecord=True);
AADSignInEventsBeta
| extend Latitude0 = todecimal(Latitude), Longitude0 = todecimal(Longitude)
| extend IntegerPart = toint(Latitude0)
| join kind=inner (Airport_Data) on $left.IntegerPart == $right.maxlatindicator
| where Latitude0 < minLatitude and Latitude0 < maxLatitude and Longitude0 > minLongitude and Longitude0 < maxLongitude
| summarize make_set(Application), make_set(ClientAppUsed) by AirportName, IPAddress, AccountDisplayName4. Real-Time Alerts: Develop a notification (such as Detection Rules) that alerts security teams of suspicious sign-in attempts from airport networks. This will allow for immediate response actions, such as temporarily locking accounts or requiring additional verification.
5. Correlation with Existing Alerts: This KQL Query allow to correlate alerts related to unfamiliar sign-in attempts or token incidents with sign-ins detected from airport networks. For example, if Defender XDR flags a suspicious token request, our system can cross-reference this with any recent sign-ins from airport networks to establish a clearer picture of potential threats.
let Airport_Data = externaldata(AirportName:string, maxLatitude: decimal, minLatitude:decimal, maxLongitude:decimal, minLongitude:decimal,iata:string, country: string,maxlatindicator:int)[@"https://raw.githubusercontent.com/Sergio-Albea-Git/Threat-Hunting-KQL-Queries/refs/heads/main/Security-Lists/Airport_polygon.csv"] with (format="csv", ignoreFirstRecord=True);
AADSignInEventsBeta
| extend Latitude0 = todecimal(Latitude), Longitude0 = todecimal(Longitude)
| extend IntegerPart = toint(Latitude0)
| join kind=inner (Airport_Data) on $left.IntegerPart == $right.maxlatindicator
| join kind=inner ( AlertEvidence) on $left.IPAddress == $right.RemoteIP
| where Latitude0 < minLatitude and Latitude0 < maxLatitude and Longitude0 > minLongitude and Longitude0 < maxLongitude
| summarize count() by AlertId, Country, IPAddress, DetectionSource, Title, AccountDisplayNameConclusion
By implementing this new threat detection focus on airport network sign-in attempts, I aim to enhance proactive measures against potential cyber threats. Continuous monitoring and quick response to suspicious activities will not only protect our organization but also strengthen the trust of our clients and stakeholders.