Bitglass - Login from new device

Back


Id	bfca0251-1581-4185-906b-4805099e3216
Rulename	Bitglass - Login from new device
Description	Detects when a user logins from new device.
Severity	Medium
Tactics	InitialAccess
Techniques	T1078
Required data connectors	Bitglass
Kind	Scheduled
Query frequency	1h
Query period	14d
Trigger threshold	0
Trigger operator	gt
Source Uri	https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
Version	1.0.0
Arm template	bfca0251-1581-4185-906b-4805099e3216.json

KQL

Bitglass
| where EventType =~ 'access'
| where EventMessage =~ 'Login'
| summarize dev = makeset(Dvc) by User
| join (Bitglass
        | where EventType =~ 'access'
        | where EventMessage =~ 'Login') on User
| where dev !contains Dvc
| extend AccountCustomEntity = User

YAML

id: bfca0251-1581-4185-906b-4805099e3216
triggerOperator: gt
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Bitglass/Analytic Rules/BitglassNewDevice.yaml
entityMappings:
- fieldMappings:
  - identifier: Name
    columnName: AccountCustomEntity
  entityType: Account
requiredDataConnectors:
- dataTypes:
  - Bitglass
  connectorId: Bitglass
queryFrequency: 1h
queryPeriod: 14d
status: Available
query: |
  Bitglass
  | where EventType =~ 'access'
  | where EventMessage =~ 'Login'
  | summarize dev = makeset(Dvc) by User
  | join (Bitglass
          | where EventType =~ 'access'
          | where EventMessage =~ 'Login') on User
  | where dev !contains Dvc
  | extend AccountCustomEntity = User  
name: Bitglass - Login from new device
kind: Scheduled
tactics:
- InitialAccess
severity: Medium
relevantTechniques:
- T1078
triggerThreshold: 0
version: 1.0.0
description: |
    'Detects when a user logins from new device.'

ARM