let lookback = 14d;
let recentWindow = 1h;
let historicalLogins = RedSiftAuth_CL
| extend
ActivityName = tostring(column_ifexists("ActivityName", "")),
UserEmail = tostring(column_ifexists("UserEmail", "")),
SrcIp = tostring(column_ifexists("SrcIp", ""))
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where ActivityName has "Logon"
| where isnotempty(UserEmail) and isnotempty(SrcIp)
| summarize by UserEmail, SrcIp;
RedSiftAuth_CL
| extend
ActivityName = tostring(column_ifexists("ActivityName", "")),
UserEmail = tostring(column_ifexists("UserEmail", "")),
SrcIp = tostring(column_ifexists("SrcIp", "")),
HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
ServiceName = tostring(column_ifexists("ServiceName", "")),
Severity = tostring(column_ifexists("Severity", ""))
| where TimeGenerated >= ago(recentWindow)
| where ActivityName has "Logon"
| where isnotempty(UserEmail) and isnotempty(SrcIp)
| join kind=leftanti (historicalLogins) on UserEmail, SrcIp
| project
TimeGenerated,
UserEmail,
SrcIp,
HttpUserAgent,
ServiceName,
ActivityName,
Severity
relevantTechniques:
- T1078
entityMappings:
- entityType: Account
fieldMappings:
- columnName: UserEmail
identifier: FullName
- entityType: IP
fieldMappings:
- columnName: SrcIp
identifier: Address
eventGroupingSettings:
aggregationKind: AlertPerResult
version: 1.0.1
suppressionDuration: PT1H
id: c3d4e5f6-a7b8-9012-cdef-123456789012
suppressionEnabled: false
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: |
'Detects a successful login from an IP address that has not been seen in the previous 14 days for that user, which may indicate compromised credentials or unauthorized access.'
requiredDataConnectors:
- connectorId: RedSiftPush
dataTypes:
- RedSiftAuth_CL
triggerOperator: gt
name: Red Sift - Login from previously unseen IP address
tactics:
- InitialAccess
alertDetailsOverride:
alertDescriptionFormat: User {{UserEmail}} logged in from a previously unseen IP address {{SrcIp}}.
alertDisplayNameFormat: RedSift - New IP Login for {{UserEmail}}
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Red Sift/Analytic Rules/RedSiftLoginFromNewIP.yaml
triggerThreshold: 0
queryPeriod: 14d
query: |
let lookback = 14d;
let recentWindow = 1h;
let historicalLogins = RedSiftAuth_CL
| extend
ActivityName = tostring(column_ifexists("ActivityName", "")),
UserEmail = tostring(column_ifexists("UserEmail", "")),
SrcIp = tostring(column_ifexists("SrcIp", ""))
| where TimeGenerated between (ago(lookback) .. ago(recentWindow))
| where ActivityName has "Logon"
| where isnotempty(UserEmail) and isnotempty(SrcIp)
| summarize by UserEmail, SrcIp;
RedSiftAuth_CL
| extend
ActivityName = tostring(column_ifexists("ActivityName", "")),
UserEmail = tostring(column_ifexists("UserEmail", "")),
SrcIp = tostring(column_ifexists("SrcIp", "")),
HttpUserAgent = tostring(column_ifexists("HttpUserAgent", "")),
ServiceName = tostring(column_ifexists("ServiceName", "")),
Severity = tostring(column_ifexists("Severity", ""))
| where TimeGenerated >= ago(recentWindow)
| where ActivityName has "Logon"
| where isnotempty(UserEmail) and isnotempty(SrcIp)
| join kind=leftanti (historicalLogins) on UserEmail, SrcIp
| project
TimeGenerated,
UserEmail,
SrcIp,
HttpUserAgent,
ServiceName,
ActivityName,
Severity
status: Available
customDetails:
UserAgent: HttpUserAgent
ServiceName: ServiceName
incidentConfiguration:
createIncident: true
groupingConfiguration:
matchingMethod: Selected
groupByEntities:
- Account
reopenClosedIncident: false
enabled: true
lookbackDuration: P1D
