Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Sentinel One - Admin login from new location

Back
Id382f37b3-b49a-492f-b436-a4717c8c5c3e
RulenameSentinel One - Admin login from new location
DescriptionDetects admin user login from new location (IP address).
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
TechniquesT1078
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
Version1.0.1
Arm template382f37b3-b49a-492f-b436-a4717c8c5c3e.json
Deploy To Azure
let lback_period = 14d;
let lback_time = 1h;
SentinelOne
| where TimeGenerated between(ago(lback_period)..ago(lback_time))
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)
| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
| join (SentinelOne
        | where ActivityType == 27
        | where DataRole =~ 'Admin'
        | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
        | where isnotempty(SrcIpAddr)) on SrcUserName
| where ip_lst !has SrcIpAddr
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr
status: Available
description: |
    'Detects admin user login from new location (IP address).'
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
version: 1.0.1
triggerThreshold: 0
kind: Scheduled
queryPeriod: 14d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: IPCustomEntity
    identifier: Address
requiredDataConnectors:
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne
triggerOperator: gt
id: 382f37b3-b49a-492f-b436-a4717c8c5c3e
name: Sentinel One - Admin login from new location
query: |
  let lback_period = 14d;
  let lback_time = 1h;
  SentinelOne
  | where TimeGenerated between(ago(lback_period)..ago(lback_time))
  | where ActivityType == 27
  | where DataRole =~ 'Admin'
  | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
  | where isnotempty(SrcIpAddr)
  | summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
  | join (SentinelOne
          | where ActivityType == 27
          | where DataRole =~ 'Admin'
          | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
          | where isnotempty(SrcIpAddr)) on SrcUserName
  | where ip_lst !has SrcIpAddr
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
tactics:
- InitialAccess
- PrivilegeEscalation
queryFrequency: 1h
relevantTechniques:
- T1078
severity: High
{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/382f37b3-b49a-492f-b436-a4717c8c5c3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/382f37b3-b49a-492f-b436-a4717c8c5c3e')]",
      "properties": {
        "alertRuleTemplateName": "382f37b3-b49a-492f-b436-a4717c8c5c3e",
        "customDetails": null,
        "description": "'Detects admin user login from new location (IP address).'\n",
        "displayName": "Sentinel One - Admin login from new location",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml",
        "query": "let lback_period = 14d;\nlet lback_time = 1h;\nSentinelOne\n| where TimeGenerated between(ago(lback_period)..ago(lback_time))\n| where ActivityType == 27\n| where DataRole =~ 'Admin'\n| extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\n| where isnotempty(SrcIpAddr)\n| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName\n| join (SentinelOne\n        | where ActivityType == 27\n        | where DataRole =~ 'Admin'\n        | extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\n        | where isnotempty(SrcIpAddr)) on SrcUserName\n| where ip_lst !has SrcIpAddr\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}