Claroty - Login to uncommon location
| Id | e7dbcbc3-b18f-4635-b27c-718195c369f1 |
| Rulename | Claroty - Login to uncommon location |
| Description | Detects user login to uncommon location. |
| Severity | Medium |
| Tactics | InitialAccess |
| Techniques | T1190 T1133 |
| Required data connectors | CefAma |
| Kind | Scheduled |
| Query frequency | 1h |
| Query period | 14d |
| Trigger threshold | 0 |
| Trigger operator | gt |
| Source Uri | https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml |
| Version | 1.0.4 |
| Arm template | e7dbcbc3-b18f-4635-b27c-718195c369f1.json |
let usr_sites = ClarotyEvent
| where TimeGenerated > ago(14d)
| where EventType has 'Login to SRA succeeded'
| extend Site = column_ifexists("site_name","")
| where isnotempty(Site)
| extend SrcUsername = extract(@'User\s(.*?)\slogged', 1, EventMessage)
| where isnotempty(SrcUsername)
| summarize all_loc = make_set(tostring(Site)) by SrcUsername;
ClarotyEvent
| where TimeGenerated > ago(14d)
| where EventType has 'Login to SRA succeeded'
| extend Site = column_ifexists("site_name","")
| where isnotempty(Site)
| extend SrcUsername = extract(@'User\s(.*?)\slogged', 1, EventMessage)
| where isnotempty(SrcUsername)
| join kind=leftouter (usr_sites) on SrcUsername
| where isempty(all_loc) or not(set_has_element(all_loc, tostring(Site)))
| extend SrcIpAddr
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), EventCount=count(), Sites=make_set(Site, 100), KnownSites=any(all_loc) by SrcUsername, SrcIpAddr, Site, EventType, EventMessage
| extend UncommonSiteCount = array_length(Sites)
| project StartTime, EndTime, SrcUsername, SrcIpAddr, Site, EventType, EventMessage, EventCount, UncommonSiteCount, KnownSites
relevantTechniques:
- T1190
- T1133
entityMappings:
- entityType: IP
fieldMappings:
- columnName: SrcIpAddr
identifier: Address
version: 1.0.4
id: e7dbcbc3-b18f-4635-b27c-718195c369f1
severity: Medium
kind: Scheduled
queryFrequency: 1h
description: Detects user login to uncommon location.
requiredDataConnectors:
- connectorId: CefAma
dataTypes:
- CommonSecurityLog
triggerOperator: gt
name: Claroty - Login to uncommon location
tactics:
- InitialAccess
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/Claroty/Analytic Rules/ClarotyLoginToUncommonSite.yaml
triggerThreshold: 0
queryPeriod: 14d
query: |
let usr_sites = ClarotyEvent
| where TimeGenerated > ago(14d)
| where EventType has 'Login to SRA succeeded'
| extend Site = column_ifexists("site_name","")
| where isnotempty(Site)
| extend SrcUsername = extract(@'User\s(.*?)\slogged', 1, EventMessage)
| where isnotempty(SrcUsername)
| summarize all_loc = make_set(tostring(Site)) by SrcUsername;
ClarotyEvent
| where TimeGenerated > ago(14d)
| where EventType has 'Login to SRA succeeded'
| extend Site = column_ifexists("site_name","")
| where isnotempty(Site)
| extend SrcUsername = extract(@'User\s(.*?)\slogged', 1, EventMessage)
| where isnotempty(SrcUsername)
| join kind=leftouter (usr_sites) on SrcUsername
| where isempty(all_loc) or not(set_has_element(all_loc, tostring(Site)))
| extend SrcIpAddr
| summarize StartTime=min(TimeGenerated), EndTime=max(TimeGenerated), EventCount=count(), Sites=make_set(Site, 100), KnownSites=any(all_loc) by SrcUsername, SrcIpAddr, Site, EventType, EventMessage
| extend UncommonSiteCount = array_length(Sites)
| project StartTime, EndTime, SrcUsername, SrcIpAddr, Site, EventType, EventMessage, EventCount, UncommonSiteCount, KnownSites
status: Available