Bitglass - Login from new device

Back


Id	bfca0251-1581-4185-906b-4805099e3216
Rulename	Bitglass - Login from new device
Description	Detects when a user logins from new device.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
Version	1.0.0
Arm template	bfca0251-1581-4185-906b-4805099e3216.json

KQL

Bitglass
| where EventType =~ 'access'
| where EventMessage =~ 'Login'
| summarize dev = makeset(Dvc) by User
| join (Bitglass
        | where EventType =~ 'access'
        | where EventMessage =~ 'Login') on User
| where dev !contains Dvc
| extend AccountCustomEntity = User

YAML

entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
kind: Scheduled
severity: Medium
description: |
    'Detects when a user logins from new device.'
triggerThreshold: 0
version: 1.0.0
query: |
  Bitglass
  | where EventType =~ 'access'
  | where EventMessage =~ 'Login'
  | summarize dev = makeset(Dvc) by User
  | join (Bitglass
          | where EventType =~ 'access'
          | where EventMessage =~ 'Login') on User
  | where dev !contains Dvc
  | extend AccountCustomEntity = User  
queryPeriod: 14d
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
id: bfca0251-1581-4185-906b-4805099e3216
name: Bitglass - Login from new device
triggerOperator: gt
queryFrequency: 1h
relevantTechniques:
- T1078
status: Available
tactics:
- InitialAccess

ARM