CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisLoginFromAbnormalIPLowOccurrence.yaml
incidentConfiguration:
groupingConfiguration:
reopenClosedIncident: true
matchingMethod: Selected
lookbackDuration: P7D
groupByEntities:
- IP
enabled: true
createIncident: true
queryPeriod: 14d
kind: Scheduled
name: Acronis - Login from Abnormal IP - Low Occurrence
eventGroupingSettings:
aggregationKind: AlertPerResult
entityMappings:
- fieldMappings:
- columnName: initiator_ip
identifier: Address
entityType: IP
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: Acronis - Login from Abnormal IP ({{initiator_ip}}) - Low Occurrence ({{LoginCount}})
tactics:
- InitialAccess
description: Suspicious login from an IP address observed up to two times in the last two weeks.
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d
triggerThreshold: 0
version: 1.0.0
query: |
CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
relevantTechniques:
- T1078
id: 84037130-a623-46c2-9144-0c0955ac4112
triggerOperator: gt
