Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Sentinel One - Admin login from new location

Sentinel One - Admin login from new location

Back
Id382f37b3-b49a-492f-b436-a4717c8c5c3e
RulenameSentinel One - Admin login from new location
DescriptionDetects admin user login from new location (IP address).
SeverityHigh
TacticsInitialAccess
PrivilegeEscalation
TechniquesT1078
Required data connectorsSentinelOne
KindScheduled
Query frequency1h
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
Version1.0.1
Arm template382f37b3-b49a-492f-b436-a4717c8c5c3e.json
Deploy To Azure
let lback_period = 14d;
let lback_time = 1h;
SentinelOne
| where TimeGenerated between(ago(lback_period)..ago(lback_time))
| where ActivityType == 27
| where DataRole =~ 'Admin'
| extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
| where isnotempty(SrcIpAddr)
| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
| join (SentinelOne
        | where ActivityType == 27
        | where DataRole =~ 'Admin'
        | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
        | where isnotempty(SrcIpAddr)) on SrcUserName
| where ip_lst !has SrcIpAddr
| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr

queryPeriod: 14d
version: 1.0.1
kind: Scheduled
triggerThreshold: 0
relevantTechniques:
- T1078
triggerOperator: gt
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
- fieldMappings:
  - identifier: Address
    columnName: IPCustomEntity
  entityType: IP
query: |
  let lback_period = 14d;
  let lback_time = 1h;
  SentinelOne
  | where TimeGenerated between(ago(lback_period)..ago(lback_time))
  | where ActivityType == 27
  | where DataRole =~ 'Admin'
  | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
  | where isnotempty(SrcIpAddr)
  | summarize ip_lst = makeset(SrcIpAddr) by SrcUserName
  | join (SentinelOne
          | where ActivityType == 27
          | where DataRole =~ 'Admin'
          | extend SrcIpAddr = extract(@'Address\s(\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3})', 1, EventOriginalMessage)
          | where isnotempty(SrcIpAddr)) on SrcUserName
  | where ip_lst !has SrcIpAddr
  | extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr  
name: Sentinel One - Admin login from new location
queryFrequency: 1h
requiredDataConnectors:
- connectorId: SentinelOne
  dataTypes:
  - SentinelOne
description: |
    'Detects admin user login from new location (IP address).'
status: Available
id: 382f37b3-b49a-492f-b436-a4717c8c5c3e
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml
tactics:
- InitialAccess
- PrivilegeEscalation
severity: High

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "apiVersion": "2023-02-01-preview",
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/382f37b3-b49a-492f-b436-a4717c8c5c3e')]",
      "kind": "Scheduled",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/382f37b3-b49a-492f-b436-a4717c8c5c3e')]",
      "properties": {
        "alertRuleTemplateName": "382f37b3-b49a-492f-b436-a4717c8c5c3e",
        "customDetails": null,
        "description": "'Detects admin user login from new location (IP address).'\n",
        "displayName": "Sentinel One - Admin login from new location",
        "enabled": true,
        "entityMappings": [
          {
            "entityType": "Account",
            "fieldMappings": [
              {
                "columnName": "AccountCustomEntity",
                "identifier": "Name"
              }
            ]
          },
          {
            "entityType": "IP",
            "fieldMappings": [
              {
                "columnName": "IPCustomEntity",
                "identifier": "Address"
              }
            ]
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SentinelOne/Analytic Rules/SentinelOneAdminLoginNewIP.yaml",
        "query": "let lback_period = 14d;\nlet lback_time = 1h;\nSentinelOne\n| where TimeGenerated between(ago(lback_period)..ago(lback_time))\n| where ActivityType == 27\n| where DataRole =~ 'Admin'\n| extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\n| where isnotempty(SrcIpAddr)\n| summarize ip_lst = makeset(SrcIpAddr) by SrcUserName\n| join (SentinelOne\n        | where ActivityType == 27\n        | where DataRole =~ 'Admin'\n        | extend SrcIpAddr = extract(@'Address\\s(\\d{1,3}\\.\\d{1,3}\\.\\d{1,3}\\.\\d{1,3})', 1, EventOriginalMessage)\n        | where isnotempty(SrcIpAddr)) on SrcUserName\n| where ip_lst !has SrcIpAddr\n| extend AccountCustomEntity = SrcUserName, IPCustomEntity = SrcIpAddr\n",
        "queryFrequency": "PT1H",
        "queryPeriod": "P14D",
        "severity": "High",
        "status": "Available",
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess",
          "PrivilegeEscalation"
        ],
        "techniques": [
          "T1078"
        ],
        "templateVersion": "1.0.1",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0
      },
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules"
    }
  ]
}