let lbtime_d = 14d;
let lbtime_24h = 24h;
OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
| where isnotempty(SrcIpAddr)
| where isnotempty(DstUserName)
| summarize knownIPs = make_set(SrcIpAddr) by DstUserName
| join (OracleDatabaseAuditEvent
| where isnotempty(SrcIpAddr)
| where isnotempty(DstUserName)
| where DbAction =~ 'connect'
) on DstUserName
| where knownIPs !contains SrcIpAddr
| project DstUserName, SrcIpAddr
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
kind: Scheduled
name: OracleDBAudit - User connected to database from new IP
status: Available
severity: Low
queryFrequency: 1h
description: |
'Detects when a user connects to database from new IP address.'
query: |
let lbtime_d = 14d;
let lbtime_24h = 24h;
OracleDatabaseAuditEvent
| where TimeGenerated between (ago(lbtime_d) .. ago(lbtime_24h))
| where isnotempty(SrcIpAddr)
| where isnotempty(DstUserName)
| summarize knownIPs = make_set(SrcIpAddr) by DstUserName
| join (OracleDatabaseAuditEvent
| where isnotempty(SrcIpAddr)
| where isnotempty(DstUserName)
| where DbAction =~ 'connect'
) on DstUserName
| where knownIPs !contains SrcIpAddr
| project DstUserName, SrcIpAddr
| extend AccountCustomEntity = DstUserName
| extend IPCustomEntity = SrcIpAddr
queryPeriod: 14d
id: 39a0995e-f4a9-4869-a0ae-36d6d9049bfd
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/OracleDatabaseAudit/Analytic Rules/OracleDBAuditNewIpForUser.yaml
relevantTechniques:
- T1078
entityMappings:
- entityType: Account
fieldMappings:
- columnName: AccountCustomEntity
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: IPCustomEntity
identifier: Address
triggerOperator: gt
requiredDataConnectors:
- datatypes:
- Syslog
connectorId: SyslogAma
version: 1.0.2
triggerThreshold: 0
