Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Netskope - Impossible Travel Detection Two Countries in Less Than 1 Hour

Netskope - Impossible Travel Detection Two Countries in Less Than 1 Hour

Back
Idd1b88716-3cd4-4585-a9a2-2dd2c9b04ecb
RulenameNetskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour)
DescriptionDetects when a user accesses resources from two distinct countries within less than 1 hour, indicating potential credential compromise or VPN abuse.
SeverityHigh
TacticsInitialAccess
CredentialAccess
TechniquesT1078
Required data connectorsNetskopeWebTxConnector
KindScheduled
Query frequency1h
Query period2h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule5.yaml
Version1.0.0
Arm templated1b88716-3cd4-4585-a9a2-2dd2c9b04ecb.json
Deploy To Azure
let timeWindow = 1h;
NetskopeWebTransactions_CL
| where TimeGenerated > ago(1h)
| where isnotempty(CsUsername) and isnotempty(XCCountry)
| summarize 
    Countries = make_set(XCCountry),
    Locations = make_set(XCLocation),
    IPs = make_set(CIp),
    MinTime = min(TimeGenerated),
    MaxTime = max(TimeGenerated),
    EventCount = count()
    by CsUsername, bin(TimeGenerated, timeWindow)
| where array_length(Countries) > 1
| extend TimeDiffMinutes = datetime_diff('minute', MaxTime, MinTime)
| where TimeDiffMinutes < 60
| project 
    TimeGenerated,
    User = CsUsername,
    DistinctCountries = Countries,
    Locations,
    SourceIPs = IPs,
    TimeDifferenceMinutes = TimeDiffMinutes,
    EventCount,
    AlertDetails = strcat('User ', CsUsername, ' accessed from ', array_length(Countries), ' countries within ', TimeDiffMinutes, ' minutes')

requiredDataConnectors:
- dataTypes:
  - NetskopeWebTransactions_CL
  connectorId: NetskopeWebTxConnector
relevantTechniques:
- T1078
triggerOperator: gt
version: 1.0.0
queryFrequency: 1h
severity: High
triggerThreshold: 0
entityMappings:
- fieldMappings:
  - columnName: User
    identifier: Name
  entityType: Account
name: Netskope - Impossible Travel Detection (Two Countries in Less Than 1 Hour)
query: |
  let timeWindow = 1h;
  NetskopeWebTransactions_CL
  | where TimeGenerated > ago(1h)
  | where isnotempty(CsUsername) and isnotempty(XCCountry)
  | summarize 
      Countries = make_set(XCCountry),
      Locations = make_set(XCLocation),
      IPs = make_set(CIp),
      MinTime = min(TimeGenerated),
      MaxTime = max(TimeGenerated),
      EventCount = count()
      by CsUsername, bin(TimeGenerated, timeWindow)
  | where array_length(Countries) > 1
  | extend TimeDiffMinutes = datetime_diff('minute', MaxTime, MinTime)
  | where TimeDiffMinutes < 60
  | project 
      TimeGenerated,
      User = CsUsername,
      DistinctCountries = Countries,
      Locations,
      SourceIPs = IPs,
      TimeDifferenceMinutes = TimeDiffMinutes,
      EventCount,
      AlertDetails = strcat('User ', CsUsername, ' accessed from ', array_length(Countries), ' countries within ', TimeDiffMinutes, ' minutes')  
tactics:
- InitialAccess
- CredentialAccess
queryPeriod: 2h
description: |
    Detects when a user accesses resources from two distinct countries within less than 1 hour, indicating potential credential compromise or VPN abuse.
kind: Scheduled
id: d1b88716-3cd4-4585-a9a2-2dd2c9b04ecb
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/NetskopeWebTx/Analytic Rules/NetskopeWebtx_Rule5.yaml
status: Available