Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. StealthTalk - Login outside work zone

StealthTalk - Login outside work zone

Back
Ida7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c
RulenameStealthTalk - Login outside work zone
DescriptionIdentifies a single StealthTalk authentication originating from a country or city that does

not match the user’s assigned (expected) geographic zone. Each individual mismatch is

treated as an incident - there is no aggregation threshold, since a single login from an

unexpected country is high-confidence evidence of a credential issue.



An incident fires when LoginCountry differs from AssignedCountry OR LoginCity differs

from AssignedCity. Source IPv4, raw event ID, and both the observed and expected

geo-locations are surfaced as entities and custom details for the SOC analyst.
SeverityHigh
TacticsInitialAccess
DefenseEvasion
CredentialAccess
TechniquesT1078
Required data connectorsStealthTalkAnomalousAuth
KindScheduled
Query frequency15m
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Analytic Rules/LoginOutsideWorkZone.yaml
Version1.0.0
Arm templatea7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c.json
Deploy To Azure
let LookbackPeriod = 1h;
StealthTalkAnomalousAuth_CL
| where TimeGenerated >= ago(LookbackPeriod)
| where EventType == "GeoAnomalyLogin"
| where LoginCountry != AssignedCountry
     or LoginCity    != AssignedCity
| extend
    CountryMismatch = LoginCountry != AssignedCountry,
    CityMismatch    = LoginCity    != AssignedCity,
    AlertName       = "LoginOutsideWorkZone",
    AlertDetails    = strcat(
        "User ", UserId,
        " logged in from ", LoginCity, " (", LoginCountry, ")",
        " - assigned zone: ", AssignedCity, " (", AssignedCountry, ").",
        " Source IP: ", IpAddress, ".",
        " Country mismatch: ", tostring(LoginCountry != AssignedCountry), ".",
        " City mismatch: ", tostring(LoginCity != AssignedCity), "."
    )
| project
    TimeGenerated, UserId, DeviceId,
    LoginCountry, LoginCity, AssignedCountry, AssignedCity,
    CountryMismatch, CityMismatch, IpAddress,
    AppVersion, RawEventId, AlertName, AlertDetails

version: 1.0.0
severity: High
query: |
  let LookbackPeriod = 1h;
  StealthTalkAnomalousAuth_CL
  | where TimeGenerated >= ago(LookbackPeriod)
  | where EventType == "GeoAnomalyLogin"
  | where LoginCountry != AssignedCountry
       or LoginCity    != AssignedCity
  | extend
      CountryMismatch = LoginCountry != AssignedCountry,
      CityMismatch    = LoginCity    != AssignedCity,
      AlertName       = "LoginOutsideWorkZone",
      AlertDetails    = strcat(
          "User ", UserId,
          " logged in from ", LoginCity, " (", LoginCountry, ")",
          " - assigned zone: ", AssignedCity, " (", AssignedCountry, ").",
          " Source IP: ", IpAddress, ".",
          " Country mismatch: ", tostring(LoginCountry != AssignedCountry), ".",
          " City mismatch: ", tostring(LoginCity != AssignedCity), "."
      )
  | project
      TimeGenerated, UserId, DeviceId,
      LoginCountry, LoginCity, AssignedCountry, AssignedCity,
      CountryMismatch, CityMismatch, IpAddress,
      AppVersion, RawEventId, AlertName, AlertDetails  
queryPeriod: 1h
status: Available
alertDetailsOverride:
  alertDescriptionFormat: '{{AlertDetails}}'
  alertDisplayNameFormat: 'StealthTalk: Login Outside Work Zone - {{UserId}} from {{LoginCity}} ({{LoginCountry}})'
suppressionEnabled: false
customDetails:
  LoginCity: LoginCity
  LoginCountry: LoginCountry
  AppVersion: AppVersion
  CityMismatch: CityMismatch
  AssignedCity: AssignedCity
  AssignedCountry: AssignedCountry
  CountryMismatch: CountryMismatch
  EventReference: RawEventId
tactics:
- InitialAccess
- DefenseEvasion
- CredentialAccess
triggerOperator: gt
queryFrequency: 15m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Analytic Rules/LoginOutsideWorkZone.yaml
entityMappings:
- fieldMappings:
  - columnName: UserId
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: DeviceId
    identifier: HostName
  entityType: Host
- fieldMappings:
  - columnName: IpAddress
    identifier: Address
  entityType: IP
suppressionDuration: 1h
name: StealthTalk - Login outside work zone
triggerThreshold: 0
description: |
  Identifies a single StealthTalk authentication originating from a country or city that does
  not match the user's assigned (expected) geographic zone. Each individual mismatch is
  treated as an incident - there is no aggregation threshold, since a single login from an
  unexpected country is high-confidence evidence of a credential issue.

  An incident fires when LoginCountry differs from AssignedCountry OR LoginCity differs
  from AssignedCity. Source IPv4, raw event ID, and both the observed and expected
  geo-locations are surfaced as entities and custom details for the SOC analyst.  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    lookbackDuration: 5h
    matchingMethod: Selected
    groupByEntities:
    - Account
    reopenClosedIncident: false
id: a7c3e9b1-4f5d-4e2a-9b8c-1d2e3f4a5b6c
kind: Scheduled
relevantTechniques:
- T1078
requiredDataConnectors:
- connectorId: StealthTalkAnomalousAuth
  dataTypes:
  - StealthTalkAnomalousAuth_CL