Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Sentinel One - Admin login from new location

Sentinel One - Admin login from new location

Back
Id382f37b3-b49a-492f-b436-a4717c8c5c3e
RulenameSentinel One - Admin login from new location
DescriptionDetects admin user login from new location (IP address).
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
TechniquesT1078
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
Version1.0.1
Arm template382f37b3-b49a-492f-b436-a4717c8c5c3e.json
Deploy To Azure
let lback_period = 14d;
let lback_time = 1h;
SentinelOne
| where TimeGenerated between(ago(lback_period)..ago(lback_time))
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)
| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
| join (SentinelOne
        | where ActivityType == 27
        | where DataRole =~ 'Admin'
        | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
        | where isnotempty(SrcIpAddr)) on SrcUserName
| where ip_lst !has SrcIpAddr
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
severity: High
queryFrequency: 1h
status: Available
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
triggerOperator: gt
query: |
  let lback_period = 14d;
  let lback_time = 1h;
  SentinelOne
  | where TimeGenerated between(ago(lback_period)..ago(lback_time))
  | where ActivityType == 27
  | where DataRole =~ 'Admin'
  | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
  | where isnotempty(SrcIpAddr)
  | summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
  | join (SentinelOne
          | where ActivityType == 27
          | where DataRole =~ 'Admin'
          | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
          | where isnotempty(SrcIpAddr)) on SrcUserName
  | where ip_lst !has SrcIpAddr
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
queryPeriod: 14d
kind: Scheduled
id: 382f37b3-b49a-492f-b436-a4717c8c5c3e
relevantTechniques:
- T1078
description: |
    'Detects admin user login from new location (IP address).'
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
triggerThreshold: 0
tactics:
- InitialAccess
- PrivilegeEscalation
name: Sentinel One - Admin login from new location
version: 1.0.1