CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
queryPeriod: 14d
requiredDataConnectors: []
severity: Medium
triggerOperator: gt
entityMappings:
- fieldMappings:
- identifier: Address
columnName: initiator_ip
entityType: IP
version: 1.0.0
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisLoginFromAbnormalIPLowOccurrence.yaml
eventGroupingSettings:
aggregationKind: AlertPerResult
query: |
CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
id: 84037130-a623-46c2-9144-0c0955ac4112
name: Acronis - Login from Abnormal IP - Low Occurrence
incidentConfiguration:
createIncident: true
groupingConfiguration:
reopenClosedIncident: true
matchingMethod: Selected
enabled: true
groupByEntities:
- IP
lookbackDuration: P7D
description: Suspicious login from an IP address observed up to two times in the last two weeks.
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: Acronis - Login from Abnormal IP ({{initiator_ip}}) - Low Occurrence ({{LoginCount}})
kind: Scheduled
queryFrequency: 1d
