Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Correlate Unfamiliar sign-in properties and atypical travel alerts

Correlate Unfamiliar sign-in properties and atypical travel alerts

Back
Ida3df4a32-4805-4c6d-8699-f3c888af2f67
RulenameCorrelate Unfamiliar sign-in properties and atypical travel alerts
DescriptionThe combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.
SeverityHigh
TacticsInitialAccess
TechniquesT1078
Required data connectorsAzureActiveDirectoryIdentityProtection
BehaviorAnalytics
KindScheduled
Query frequency1d
Query period14d
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory Identity Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml
Version1.0.4
Arm templatea3df4a32-4805-4c6d-8699-f3c888af2f67.json
Deploy To Azure
// We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts
let TimeDeltaInMinutes = 10;
let Alert_UnfamiliarSignInProps = 
SecurityAlert
| where TimeGenerated > ago(1d)
| where ProductName =~ "Azure Active Directory Identity Protection"
| where AlertName =~ "Unfamiliar sign-in properties"
| mv-expand Entity = todynamic(Entities)
| where Entity.Type =~ "account"
| extend AadTenantId = tostring(Entity.AadTenantId)
| extend AadUserId = tostring(Entity.AadUserId)
| join kind=inner (
IdentityInfo
| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
| extend UserName = AccountDisplayName
| extend UserAccount = AccountUPN
| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
| project AccountTenantId, AccountObjectId, UserAccount, UserName
)
on
$left.AadTenantId == $right.AccountTenantId,
$left.AadUserId == $right.AccountObjectId
| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
| extend Alert_UnfamiliarSignInProps_Time = TimeGenerated
| extend Alert_UnfamiliarSignInProps_Name = AlertName
| extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity
| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName
;
let Alert_AtypicalTravels = 
SecurityAlert
| where TimeGenerated > ago(1d)
| where ProductName =~ "Azure Active Directory Identity Protection"
| where AlertName =~ "Atypical travel"
| mv-expand Entity = todynamic(Entities)
| where Entity.Type =~ "account"
| extend AadTenantId = tostring(Entity.AadTenantId)
| extend AadUserId = tostring(Entity.AadUserId)
| join kind=inner (
IdentityInfo
| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
| extend UserName = AccountDisplayName
| extend UserAccount = AccountUPN
| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
| project AccountTenantId, AccountObjectId, UserAccount, UserName
)
on
$left.AadTenantId == $right.AccountTenantId,
$left.AadUserId == $right.AccountObjectId
| extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
| extend Alert_AtypicalTravels_Time = TimeGenerated
| extend Alert_AtypicalTravels_Name = AlertName
| extend Alert_AtypicalTravels_Severity = AlertSeverity
| extend ExtendedProperties_json= parse_json(ExtendedProperties)
| extend CurrentLocation = tostring(ExtendedProperties_json.["Current Location"])
| extend PreviousLocation = tostring(ExtendedProperties_json.["Previous Location"])
| extend CurrentIPAddress = tostring(ExtendedProperties_json.["Current IP Address"])
| extend PreviousIPAddress = tostring(ExtendedProperties_json.["Previous IP Address"])
| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity
;
Alert_UnfamiliarSignInProps
| join kind=inner Alert_AtypicalTravels on UserAccount
| where abs(datetime_diff('minute', Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) <= TimeDeltaInMinutes
| extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time
| project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName
| extend UserEmailName = split(UserAccount,'@')[0], UPNSuffix = split(UserAccount,'@')[1]

triggerOperator: gt
id: a3df4a32-4805-4c6d-8699-f3c888af2f67
queryFrequency: 1d
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: UPNSuffix
    identifier: UPNSuffix
  - columnName: UserEmailName
    identifier: Name
- entityType: IP
  fieldMappings:
  - columnName: CurrentIPAddress
    identifier: Address
- entityType: IP
  fieldMappings:
  - columnName: PreviousIPAddress
    identifier: Address
requiredDataConnectors:
- dataTypes:
  - SecurityAlert (IPC)
  connectorId: AzureActiveDirectoryIdentityProtection
- dataTypes:
  - IdentityInfo
  connectorId: BehaviorAnalytics
severity: High
triggerThreshold: 0
kind: Scheduled
status: Available
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory Identity Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml
query: |
  // We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts
  let TimeDeltaInMinutes = 10;
  let Alert_UnfamiliarSignInProps = 
  SecurityAlert
  | where TimeGenerated > ago(1d)
  | where ProductName =~ "Azure Active Directory Identity Protection"
  | where AlertName =~ "Unfamiliar sign-in properties"
  | mv-expand Entity = todynamic(Entities)
  | where Entity.Type =~ "account"
  | extend AadTenantId = tostring(Entity.AadTenantId)
  | extend AadUserId = tostring(Entity.AadUserId)
  | join kind=inner (
  IdentityInfo
  | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
  | extend UserName = AccountDisplayName
  | extend UserAccount = AccountUPN
  | where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
  | project AccountTenantId, AccountObjectId, UserAccount, UserName
  )
  on
  $left.AadTenantId == $right.AccountTenantId,
  $left.AadUserId == $right.AccountObjectId
  | extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
  | extend Alert_UnfamiliarSignInProps_Time = TimeGenerated
  | extend Alert_UnfamiliarSignInProps_Name = AlertName
  | extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity
  | project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName
  ;
  let Alert_AtypicalTravels = 
  SecurityAlert
  | where TimeGenerated > ago(1d)
  | where ProductName =~ "Azure Active Directory Identity Protection"
  | where AlertName =~ "Atypical travel"
  | mv-expand Entity = todynamic(Entities)
  | where Entity.Type =~ "account"
  | extend AadTenantId = tostring(Entity.AadTenantId)
  | extend AadUserId = tostring(Entity.AadUserId)
  | join kind=inner (
  IdentityInfo
  | distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName
  | extend UserName = AccountDisplayName
  | extend UserAccount = AccountUPN
  | where isnotempty(AccountDisplayName) and isnotempty(UserAccount)
  | project AccountTenantId, AccountObjectId, UserAccount, UserName
  )
  on
  $left.AadTenantId == $right.AccountTenantId,
  $left.AadUserId == $right.AccountObjectId
  | extend CompromisedEntity = iff(CompromisedEntity == "N/A" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)
  | extend Alert_AtypicalTravels_Time = TimeGenerated
  | extend Alert_AtypicalTravels_Name = AlertName
  | extend Alert_AtypicalTravels_Severity = AlertSeverity
  | extend ExtendedProperties_json= parse_json(ExtendedProperties)
  | extend CurrentLocation = tostring(ExtendedProperties_json.["Current Location"])
  | extend PreviousLocation = tostring(ExtendedProperties_json.["Previous Location"])
  | extend CurrentIPAddress = tostring(ExtendedProperties_json.["Current IP Address"])
  | extend PreviousIPAddress = tostring(ExtendedProperties_json.["Previous IP Address"])
  | project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity
  ;
  Alert_UnfamiliarSignInProps
  | join kind=inner Alert_AtypicalTravels on UserAccount
  | where abs(datetime_diff('minute', Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) <= TimeDeltaInMinutes
  | extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time
  | project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName
  | extend UserEmailName = split(UserAccount,'@')[0], UPNSuffix = split(UserAccount,'@')[1]  
description: |
    'The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.'
name: Correlate Unfamiliar sign-in properties and atypical travel alerts
relevantTechniques:
- T1078
tactics:
- InitialAccess
version: 1.0.4
customDetails:
  TimeDelta: TimeDelta
  CurrentLocation: CurrentLocation
  CurrentIPAddress: CurrentIPAddress
  Alert_UnfamiliarSignInProps_Time: Alert_UnfamiliarSignInProps_Time
  Alert_UnfamiliarSignInProps_Severity: Alert_UnfamiliarSignInProps_Severity
  PreviousLocation: PreviousLocation
  Alert_AtypicalTravels_Severity: Alert_AtypicalTravels_Severity
  Alert_AtypicalTravels_Time: Alert_AtypicalTravels_Time
  Alert_AtypicalTravels_Name: Alert_AtypicalTravels_Name
  PreviousIPAddress: PreviousIPAddress
  Alert_UnfamiliarSignInProps_Name: Alert_UnfamiliarSignInProps_Name

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "workspace": {
      "type": "String"
    }
  },
  "resources": [
    {
      "id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/a3df4a32-4805-4c6d-8699-f3c888af2f67')]",
      "name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/a3df4a32-4805-4c6d-8699-f3c888af2f67')]",
      "type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
      "kind": "Scheduled",
      "apiVersion": "2022-11-01",
      "properties": {
        "displayName": "Correlate Unfamiliar sign-in properties and atypical travel alerts",
        "description": "'The combination of an Unfamiliar sign-in properties alert and an Atypical travel alert about the same user within a +10m or -10m window is considered a high severity incident.'\n",
        "severity": "High",
        "enabled": true,
        "query": "// We can use this configuration TimeDeltaInMinutes if you want to chnage the time window that we try to match the alerts\nlet TimeDeltaInMinutes = 10;\nlet Alert_UnfamiliarSignInProps = \nSecurityAlert\n| where TimeGenerated > ago(1d)\n| where ProductName =~ \"Azure Active Directory Identity Protection\"\n| where AlertName =~ \"Unfamiliar sign-in properties\"\n| mv-expand Entity = todynamic(Entities)\n| where Entity.Type =~ \"account\"\n| extend AadTenantId = tostring(Entity.AadTenantId)\n| extend AadUserId = tostring(Entity.AadUserId)\n| join kind=inner (\nIdentityInfo\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\n| extend UserName = AccountDisplayName\n| extend UserAccount = AccountUPN\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\n)\non\n$left.AadTenantId == $right.AccountTenantId,\n$left.AadUserId == $right.AccountObjectId\n| extend CompromisedEntity = iff(CompromisedEntity == \"N/A\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\n| extend Alert_UnfamiliarSignInProps_Time = TimeGenerated\n| extend Alert_UnfamiliarSignInProps_Name = AlertName\n| extend Alert_UnfamiliarSignInProps_Severity = AlertSeverity\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, UserAccount, UserName\n;\nlet Alert_AtypicalTravels = \nSecurityAlert\n| where TimeGenerated > ago(1d)\n| where ProductName =~ \"Azure Active Directory Identity Protection\"\n| where AlertName =~ \"Atypical travel\"\n| mv-expand Entity = todynamic(Entities)\n| where Entity.Type =~ \"account\"\n| extend AadTenantId = tostring(Entity.AadTenantId)\n| extend AadUserId = tostring(Entity.AadUserId)\n| join kind=inner (\nIdentityInfo\n| distinct AccountTenantId, AccountObjectId, AccountUPN, AccountDisplayName\n| extend UserName = AccountDisplayName\n| extend UserAccount = AccountUPN\n| where isnotempty(AccountDisplayName) and isnotempty(UserAccount)\n| project AccountTenantId, AccountObjectId, UserAccount, UserName\n)\non\n$left.AadTenantId == $right.AccountTenantId,\n$left.AadUserId == $right.AccountObjectId\n| extend CompromisedEntity = iff(CompromisedEntity == \"N/A\" or isempty(CompromisedEntity), UserAccount, CompromisedEntity)\n| extend Alert_AtypicalTravels_Time = TimeGenerated\n| extend Alert_AtypicalTravels_Name = AlertName\n| extend Alert_AtypicalTravels_Severity = AlertSeverity\n| extend ExtendedProperties_json= parse_json(ExtendedProperties)\n| extend CurrentLocation = tostring(ExtendedProperties_json.[\"Current Location\"])\n| extend PreviousLocation = tostring(ExtendedProperties_json.[\"Previous Location\"])\n| extend CurrentIPAddress = tostring(ExtendedProperties_json.[\"Current IP Address\"])\n| extend PreviousIPAddress = tostring(ExtendedProperties_json.[\"Previous IP Address\"])\n| project AadTenantId, AadUserId, AccountTenantId, AccountObjectId, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, CurrentIPAddress, PreviousIPAddress, CurrentLocation, PreviousLocation, UserAccount, UserName, CompromisedEntity\n;\nAlert_UnfamiliarSignInProps\n| join kind=inner Alert_AtypicalTravels on UserAccount\n| where abs(datetime_diff('minute', Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Time)) <= TimeDeltaInMinutes\n| extend TimeDelta = Alert_UnfamiliarSignInProps_Time - Alert_AtypicalTravels_Time\n| project UserAccount, Alert_UnfamiliarSignInProps_Name, Alert_UnfamiliarSignInProps_Severity, Alert_UnfamiliarSignInProps_Time, Alert_AtypicalTravels_Name, Alert_AtypicalTravels_Severity, Alert_AtypicalTravels_Time, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress, UserName\n| extend UserEmailName = split(UserAccount,'@')[0], UPNSuffix = split(UserAccount,'@')[1]\n",
        "queryFrequency": "P1D",
        "queryPeriod": "P14D",
        "triggerOperator": "GreaterThan",
        "triggerThreshold": 0,
        "suppressionDuration": "PT1H",
        "suppressionEnabled": false,
        "tactics": [
          "InitialAccess"
        ],
        "techniques": [
          "T1078"
        ],
        "alertRuleTemplateName": "a3df4a32-4805-4c6d-8699-f3c888af2f67",
        "customDetails": {
          "Alert_UnfamiliarSignInProps_Severity": "Alert_UnfamiliarSignInProps_Severity",
          "CurrentLocation": "CurrentLocation",
          "Alert_AtypicalTravels_Name": "Alert_AtypicalTravels_Name",
          "Alert_UnfamiliarSignInProps_Time": "Alert_UnfamiliarSignInProps_Time",
          "TimeDelta": "TimeDelta",
          "PreviousLocation": "PreviousLocation",
          "Alert_AtypicalTravels_Severity": "Alert_AtypicalTravels_Severity",
          "Alert_AtypicalTravels_Time": "Alert_AtypicalTravels_Time",
          "CurrentIPAddress": "CurrentIPAddress",
          "PreviousIPAddress": "PreviousIPAddress",
          "Alert_UnfamiliarSignInProps_Name": "Alert_UnfamiliarSignInProps_Name"
        },
        "entityMappings": [
          {
            "fieldMappings": [
              {
                "identifier": "UPNSuffix",
                "columnName": "UPNSuffix"
              },
              {
                "identifier": "Name",
                "columnName": "UserEmailName"
              }
            ],
            "entityType": "Account"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "CurrentIPAddress"
              }
            ],
            "entityType": "IP"
          },
          {
            "fieldMappings": [
              {
                "identifier": "Address",
                "columnName": "PreviousIPAddress"
              }
            ],
            "entityType": "IP"
          }
        ],
        "OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Azure Active Directory Identity Protection/Analytic Rules/CorrelateIPC_Unfamiliar-Atypical.yaml",
        "templateVersion": "1.0.4",
        "status": "Available"
      }
    }
  ]
}