Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Sentinel One - Admin login from new location

Sentinel One - Admin login from new location

Back
Id382f37b3-b49a-492f-b436-a4717c8c5c3e
RulenameSentinel One - Admin login from new location
DescriptionDetects admin user login from new location (IP address).
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
TechniquesT1078
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
Version1.0.1
Arm template382f37b3-b49a-492f-b436-a4717c8c5c3e.json
Deploy To Azure
let lback_period = 14d;
let lback_time = 1h;
SentinelOne
| where TimeGenerated between(ago(lback_period)..ago(lback_time))
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)
| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
| join (SentinelOne
        | where ActivityType == 27
        | where DataRole =~ 'Admin'
        | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
        | where isnotempty(SrcIpAddr)) on SrcUserName
| where ip_lst !has SrcIpAddr
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

query: |
  let lback_period = 14d;
  let lback_time = 1h;
  SentinelOne
  | where TimeGenerated between(ago(lback_period)..ago(lback_time))
  | where ActivityType == 27
  | where DataRole =~ 'Admin'
  | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
  | where isnotempty(SrcIpAddr)
  | summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
  | join (SentinelOne
          | where ActivityType == 27
          | where DataRole =~ 'Admin'
          | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
          | where isnotempty(SrcIpAddr)) on SrcUserName
  | where ip_lst !has SrcIpAddr
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
name: Sentinel One - Admin login from new location
queryPeriod: 14d
id: 382f37b3-b49a-492f-b436-a4717c8c5c3e
kind: Scheduled
requiredDataConnectors:
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne
triggerOperator: gt
queryFrequency: 1h
tactics:
- InitialAccess
- PrivilegeEscalation
triggerThreshold: 0
status: Available
relevantTechniques:
- T1078
version: 1.0.1
description: |
    'Detects admin user login from new location (IP address).'
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml