Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sentinel One - Admin login from new location

Back
Id382f37b3-b49a-492f-b436-a4717c8c5c3e
RulenameSentinel One - Admin login from new location
DescriptionDetects admin user login from new location (IP address).
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
TechniquesT1078
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
Version1.0.1
Arm template382f37b3-b49a-492f-b436-a4717c8c5c3e.json
Deploy To Azure
let lback_period = 14d;
let lback_time = 1h;
SentinelOne
| where TimeGenerated between(ago(lback_period)..ago(lback_time))
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)
| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
| join (SentinelOne
        | where ActivityType == 27
        | where DataRole =~ 'Admin'
        | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
        | where isnotempty(SrcIpAddr)) on SrcUserName
| where ip_lst !has SrcIpAddr
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
queryFrequency: 1h
description: |
    'Detects admin user login from new location (IP address).'
name: Sentinel One - Admin login from new location
relevantTechniques:
- T1078
triggerThreshold: 0
status: Available
id: 382f37b3-b49a-492f-b436-a4717c8c5c3e
requiredDataConnectors:
- dataTypes:
  - SentinelOne
  connectorId: SentinelOne
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
queryPeriod: 14d
query: |
  let lback_period = 14d;
  let lback_time = 1h;
  SentinelOne
  | where TimeGenerated between(ago(lback_period)..ago(lback_time))
  | where ActivityType == 27
  | where DataRole =~ 'Admin'
  | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
  | where isnotempty(SrcIpAddr)
  | summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
  | join (SentinelOne
          | where ActivityType == 27
          | where DataRole =~ 'Admin'
          | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
          | where isnotempty(SrcIpAddr)) on SrcUserName
  | where ip_lst !has SrcIpAddr
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
kind: Scheduled
severity: High
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
version: 1.0.1
triggerOperator: gt
tactics:
- InitialAccess
- PrivilegeEscalation
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2024-01-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/382f37b3-b49a-492f-b436-a4717c8c5c3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/382f37b3-b49a-492f-b436-a4717c8c5c3e')]",
      "properties": {
        "alertRuleTemplateName": "382f37b3-b49a-492f-b436-a4717c8c5c3e",
        "customDetails": null,
        "description": "'Detects admin user login from new location (IP address).'\n",
        "displayName": "Sentinel One - Admin login from new location",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml",
        "query": "let lback_period = 14d;\nlet lback_time = 1h;\nSentinelOne\n| where TimeGenerated between(ago(lback_period)..ago(lback_time))\n| where ActivityType == 27\n| where DataRole =~ 'Admin'\n| extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\n| where isnotempty(SrcIpAddr)\n| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName\n| join (SentinelOne\n        | where ActivityType == 27\n        | where DataRole =~ 'Admin'\n        | extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\n        | where isnotempty(SrcIpAddr)) on SrcUserName\n| where ip_lst !has SrcIpAddr\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "subTechniques": [],
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}