Red Sift - Login from previously unseen IP address

let lookback = 14d;
let recentWindow = 1h;
let historicalLogins = RedSiftAuth_CL
| extend
    ActivityName = tostring(column_ifexists("ActivityName", "")),
    UserEmail = tostring(column_ifexists("UserEmail", "")),
    SrcIp = tostring(column_ifexists("SrcIp", ""))
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where ActivityName has "Logon"
| where isnotempty(UserEmail) and isnotempty(SrcIp)
| summarize by UserEmail, SrcIp;
RedSiftAuth_CL
| extend
    ActivityName = tostring(column_ifexists("ActivityName", "")),
    UserEmail = tostring(column_ifexists("UserEmail", "")),
    SrcIp = tostring(column_ifexists("SrcIp", "")),
    HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
    ServiceName = tostring(column_ifexists("ServiceName", "")),
    Severity = tostring(column_ifexists("Severity", ""))
| where TimeGenerated >= ago(recentWindow)
| where ActivityName has "Logon"
| where isnotempty(UserEmail) and isnotempty(SrcIp)
| join kind=leftanti (historicalLogins) on UserEmail, SrcIp
| project
    TimeGenerated,
    UserEmail,
    SrcIp,
    HttpUserAgent,
    ServiceName,
    ActivityName,
    Severity

status: Available
queryFrequency: 1h
suppressionEnabled: false
queryPeriod: 14d
triggerOperator: gt
query: |
  let lookback = 14d;
  let recentWindow = 1h;
  let historicalLogins = RedSiftAuth_CL
  | extend
      ActivityName = tostring(column_ifexists("ActivityName", "")),
      UserEmail = tostring(column_ifexists("UserEmail", "")),
      SrcIp = tostring(column_ifexists("SrcIp", ""))
  | where TimeGenerated between (ago(lookback) .. ago(recentWindow))
  | where ActivityName has "Logon"
  | where isnotempty(UserEmail) and isnotempty(SrcIp)
  | summarize by UserEmail, SrcIp;
  RedSiftAuth_CL
  | extend
      ActivityName = tostring(column_ifexists("ActivityName", "")),
      UserEmail = tostring(column_ifexists("UserEmail", "")),
      SrcIp = tostring(column_ifexists("SrcIp", "")),
      HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
      ServiceName = tostring(column_ifexists("ServiceName", "")),
      Severity = tostring(column_ifexists("Severity", ""))
  | where TimeGenerated >= ago(recentWindow)
  | where ActivityName has "Logon"
  | where isnotempty(UserEmail) and isnotempty(SrcIp)
  | join kind=leftanti (historicalLogins) on UserEmail, SrcIp
  | project
      TimeGenerated,
      UserEmail,
      SrcIp,
      HttpUserAgent,
      ServiceName,
      ActivityName,
      Severity  
eventGroupingSettings:
  aggregationKind: AlertPerResult
suppressionDuration: PT1H
tactics:
- InitialAccess
triggerThreshold: 0
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: FullName
    columnName: UserEmail
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SrcIp
requiredDataConnectors:
- connectorId: RedSiftPush
  dataTypes:
  - RedSiftAuth_CL
alertDetailsOverride:
  alertDescriptionFormat: User {{UserEmail}} logged in from a previously unseen IP address {{SrcIp}}.
  alertDisplayNameFormat: RedSift - New IP Login for {{UserEmail}}
relevantTechniques:
- T1078
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftLoginFromNewIP.yaml
customDetails:
  UserAgent: HttpUserAgent
  ServiceName: ServiceName
description: |
    'Detects a successful login from an IP address that has not been seen in the previous 14 days for that user, which may indicate compromised credentials or unauthorized access.'
incidentConfiguration:
  groupingConfiguration:
    reopenClosedIncident: false
    enabled: true
    matchingMethod: Selected
    lookbackDuration: P1D
    groupByEntities:
    - Account
  createIncident: true
name: Red Sift - Login from previously unseen IP address
version: 1.0.1
kind: Scheduled
id: c3d4e5f6-a7b8-9012-cdef-123456789012
severity: Medium