CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
relevantTechniques:
- T1078
entityMappings:
- entityType: IP
fieldMappings:
- columnName: initiator_ip
identifier: Address
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.0
id: 84037130-a623-46c2-9144-0c0955ac4112
severity: Medium
kind: Scheduled
queryFrequency: 1d
description: Suspicious login from an IP address observed up to two times in the last two weeks.
requiredDataConnectors: []
triggerOperator: gt
name: Acronis - Login from Abnormal IP - Low Occurrence
tactics:
- InitialAccess
alertDetailsOverride:
alertDynamicProperties: []
alertDisplayNameFormat: Acronis - Login from Abnormal IP ({{initiator_ip}}) - Low Occurrence ({{LoginCount}})
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Acronis Cyber Protect Cloud/Analytic Rules/AcronisLoginFromAbnormalIPLowOccurrence.yaml
triggerThreshold: 0
queryPeriod: 14d
query: |
CommonSecurityLog
| where DeviceVendor == "Acronis audit"
| extend initiator_ip = tostring(parse_json(DeviceCustomString1).initiator_ip)
| summarize LoginCount = count() by initiator_ip
| where LoginCount <= 2
| order by LoginCount asc
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: Selected
groupByEntities:
- IP
reopenClosedIncident: true
enabled: true
lookbackDuration: P7D
