Bitglass - Login from new device

Back


Id	bfca0251-1581-4185-906b-4805099e3216
Rulename	Bitglass - Login from new device
Description	Detects when a user logins from new device.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
Version	1.0.0
Arm template	bfca0251-1581-4185-906b-4805099e3216.json

KQL

Bitglass
| where EventType =~ 'access'
| where EventMessage =~ 'Login'
| summarize dev = makeset(Dvc) by User
| join (Bitglass
        | where EventType =~ 'access'
        | where EventMessage =~ 'Login') on User
| where dev !contains Dvc
| extend AccountCustomEntity = User

YAML

query: |
  Bitglass
  | where EventType =~ 'access'
  | where EventMessage =~ 'Login'
  | summarize dev = makeset(Dvc) by User
  | join (Bitglass
          | where EventType =~ 'access'
          | where EventMessage =~ 'Login') on User
  | where dev !contains Dvc
  | extend AccountCustomEntity = User  
name: Bitglass - Login from new device
queryPeriod: 14d
id: bfca0251-1581-4185-906b-4805099e3216
kind: Scheduled
requiredDataConnectors:
- connectorId: Bitglass
  dataTypes:
  - Bitglass
triggerOperator: gt
queryFrequency: 1h
tactics:
- InitialAccess
triggerThreshold: 0
status: Available
relevantTechniques:
- T1078
version: 1.0.0
description: |
    'Detects when a user logins from new device.'
entityMappings:
- entityType: Account
  fieldMappings:
  - columnName: AccountCustomEntity
    identifier: Name
severity: Medium
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml

ARM