Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. User Sign in from different countries

User Sign in from different countries

Back
Id3094e036-e5ae-4d6e-8626-b0f86ebc71f2
RulenameUser Sign in from different countries
DescriptionThis query searches for successful user logins from different countries within 30min.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsSalesforceServiceCloud
KindScheduled
Query frequency30m
Query period30m
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml
Version1.0.1
Arm template3094e036-e5ae-4d6e-8626-b0f86ebc71f2.json
Deploy To Azure
let threshold = 2;
let Countrydb = externaldata(Network:string, geoname_id:string, continent_code:string, continent_name:string, country_iso_code:string, country_name:string)
[@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"];
let UsersLocation = SalesforceServiceCloud
| where EventType =~ 'Login' and LoginStatus=~'LOGIN_NO_ERROR'
| project TimeGenerated, ClientIp, UserId, User, UserType ;
UsersLocation
| extend Dummy=1
| summarize count() by Hour=bin(TimeGenerated,30m), ClientIp,User, Dummy
| partition by Hour(
                lookup (Countrydb|extend Dummy=1) on Dummy
              | where ipv4_is_match(ClientIp, Network)
              )
| summarize NumOfCountries = dcount(country_name) by User, Hour
| where NumOfCountries >= threshold

severity: Medium
relevantTechniques:
- T1078
queryFrequency: 30m
kind: Scheduled
version: 1.0.1
name: User Sign in from different countries
triggerOperator: gt
description: |
    'This query searches for successful user logins from different countries within 30min.'
queryPeriod: 30m
query: |
  let threshold = 2;
  let Countrydb = externaldata(Network:string, geoname_id:string, continent_code:string, continent_name:string, country_iso_code:string, country_name:string)
  [@"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv"];
  let UsersLocation = SalesforceServiceCloud
  | where EventType =~ 'Login' and LoginStatus=~'LOGIN_NO_ERROR'
  | project TimeGenerated, ClientIp, UserId, User, UserType ;
  UsersLocation
  | extend Dummy=1
  | summarize count() by Hour=bin(TimeGenerated,30m), ClientIp,User, Dummy
  | partition by Hour(
                  lookup (Countrydb|extend Dummy=1) on Dummy
                | where ipv4_is_match(ClientIp, Network)
                )
  | summarize NumOfCountries = dcount(country_name) by User, Hour
  | where NumOfCountries >= threshold  
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: User
    identifier: AadUserId
tactics:
- InitialAccess
status: Available
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml
id: 3094e036-e5ae-4d6e-8626-b0f86ebc71f2
requiredDataConnectors:
- dataTypes:
  - SalesforceServiceCloud
  connectorId: SalesforceServiceCloud

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/3094e036-e5ae-4d6e-8626-b0f86ebc71f2')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/3094e036-e5ae-4d6e-8626-b0f86ebc71f2')]",
      "properties": {
        "alertRuleTemplateName": "3094e036-e5ae-4d6e-8626-b0f86ebc71f2",
        "customDetails": null,
        "description": "'This query searches for successful user logins from different countries within 30min.'\n",
        "displayName": "User Sign in from different countries",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "User",
                "identifier": "AadUserId"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Salesforce Service Cloud/Analytic Rules/Salesforce-SigninsMultipleCountries.yaml",
        "query": "let threshold = 2;\nlet Countrydb = externaldata(Network:string, geoname_id:string, continent_code:string, continent_name:string, country_iso_code:string, country_name:string)\n[@\"https://raw.githubusercontent.com/datasets/geoip2-ipv4/master/data/geoip2-ipv4.csv\"];\nlet UsersLocation = SalesforceServiceCloud\n| where EventType =~ 'Login' and LoginStatus=~'LOGIN_NO_ERROR'\n| project TimeGenerated, ClientIp, UserId, User, UserType ;\nUsersLocation\n| extend Dummy=1\n| summarize count() by Hour=bin(TimeGenerated,30m), ClientIp,User, Dummy\n| partition by Hour(\n                lookup (Countrydb|extend Dummy=1) on Dummy\n              | where ipv4_is_match(ClientIp, Network)\n              )\n| summarize NumOfCountries = dcount(country_name) by User, Hour\n| where NumOfCountries >= threshold\n",
        "queryFrequency": "PT30M",
        "queryPeriod": "PT30M",
        "severity": "Medium",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}