Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Acronis - Login from Abnormal IP - Low Occurrence

Acronis - Login from Abnormal IP - Low Occurrence

Back
Id84037130-a623-46c2-9144-0c0955ac4112
RulenameAcronis - Login from Abnormal IP - Low Occurrence
DescriptionSuspicious login from an IP address observed up to two times in the last two weeks.
SeverityMedium
TacticsInitialAccess
TechniquesT1078
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisLoginFromAbnormalIPLowOccurrence.yaml
Version1.0.0
Arm template84037130-a623-46c2-9144-0c0955ac4112.json
Deploy To Azure
CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc

queryPeriod: 14d
description: Suspicious login from an IP address observed up to two times in the last two weeks.
kind: Scheduled
query: |
  CommonSecurityLog
  | where DeviceVendor == "Acronis audit"
  | extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
  | summarize LoginCount = count() by initiator_ip
  | where LoginCount <= 2
  | order by LoginCount asc  
tactics:
- InitialAccess
incidentConfiguration:
  groupingConfiguration:
    enabled: true
    lookbackDuration: P7D
    groupByEntities:
    - IP
    matchingMethod: Selected
    reopenClosedIncident: true
  createIncident: true
triggerOperator: gt
eventGroupingSettings:
  aggregationKind: AlertPerResult
alertDetailsOverride:
  alertDisplayNameFormat: Acronis - Login from Abnormal IP ({{initiator_ip}}) - Low Occurrence ({{LoginCount}})
  alertDynamicProperties: []
id: 84037130-a623-46c2-9144-0c0955ac4112
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisLoginFromAbnormalIPLowOccurrence.yaml
version: 1.0.0
entityMappings:
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: initiator_ip
triggerThreshold: 0
relevantTechniques:
- T1078
name: Acronis - Login from Abnormal IP - Low Occurrence
severity: Medium
requiredDataConnectors: []
queryFrequency: 1d