CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
relevantTechniques:
- T1078
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: true
enabled: true
matchingMethod: Selected
groupByEntities:
- IP
lookbackDuration: P7D
createIncident: true
requiredDataConnectors: []
version: 1.0.0
triggerThreshold: 0
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisLoginFromAbnormalIPLowOccurrence.yaml
description: Suspicious login from an IP address observed up to two times in the last two weeks.
query: |
CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
triggerOperator: gt
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: Acronis - Login from Abnormal IP ({{initiator_ip}}) - Low Occurrence ({{LoginCount}})
eventGroupingSettings:
aggregationKind: AlertPerResult
id: 84037130-a623-46c2-9144-0c0955ac4112
queryFrequency: 1d
entityMappings:
- fieldMappings:
- columnName: initiator_ip
identifier: Address
entityType: IP
severity: Medium
queryPeriod: 14d
name: Acronis - Login from Abnormal IP - Low Occurrence
tactics:
- InitialAccess
kind: Scheduled
