Bitglass - Login from new device

Back


Id	bfca0251-1581-4185-906b-4805099e3216
Rulename	Bitglass - Login from new device
Description	Detects when a user logins from new device.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
Version	1.0.0
Arm template	bfca0251-1581-4185-906b-4805099e3216.json

KQL

Bitglass
| where EventType =~ 'access'
| where EventMessage =~ 'Login'
| summarize dev = makeset(Dvc) by User
| join (Bitglass
        | where EventType =~ 'access'
        | where EventMessage =~ 'Login') on User
| where dev !contains Dvc
| extend AccountCustomEntity = User

YAML

name: Bitglass - Login from new device
relevantTechniques:
- T1078
id: bfca0251-1581-4185-906b-4805099e3216
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
version: 1.0.0
severity: Medium
triggerThreshold: 0
queryPeriod: 14d
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
queryFrequency: 1h
status: Available
query: |
  Bitglass
  | where EventType =~ 'access'
  | where EventMessage =~ 'Login'
  | summarize dev = makeset(Dvc) by User
  | join (Bitglass
          | where EventType =~ 'access'
          | where EventMessage =~ 'Login') on User
  | where dev !contains Dvc
  | extend AccountCustomEntity = User  
tactics:
- InitialAccess
kind: Scheduled
description: |
    'Detects when a user logins from new device.'
triggerOperator: gt

ARM