let LearningPeriod = 7d;
let RunTime = 1h;
let StartTime = 1h;
let EndRunTime = StartTime - RunTime;
let EndLearningTime = StartTime + LearningPeriod;
let GitHubCountryCodeLogs = (GitHubAuditData
| where Country != "");
GitHubCountryCodeLogs
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize makeset(Country) by Actor
| join kind=innerunique (
GitHubCountryCodeLogs
| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
| distinct Country, Actor, TimeGenerated
) on Actor
| where set_Country !contains Country
| extend AccountCustomEntity = Actor , timestamp = TimeGenerated
requiredDataConnectors: []
triggerOperator: gt
queryFrequency: 1d
name: GitHub Activites from a New Country
status: Available
queryPeriod: 7d
id: f041e01d-840d-43da-95c8-4188f6cef546
description: |
'Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.'
severity: Medium
query: |
let LearningPeriod = 7d;
let RunTime = 1h;
let StartTime = 1h;
let EndRunTime = StartTime - RunTime;
let EndLearningTime = StartTime + LearningPeriod;
let GitHubCountryCodeLogs = (GitHubAuditData
| where Country != "");
GitHubCountryCodeLogs
| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))
| summarize makeset(Country) by Actor
| join kind=innerunique (
GitHubCountryCodeLogs
| where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))
| distinct Country, Actor, TimeGenerated
) on Actor
| where set_Country !contains Country
| extend AccountCustomEntity = Actor , timestamp = TimeGenerated
version: 1.0.0
kind: Scheduled
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Activities from Infrequent Country.yaml
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: AccountCustomEntity
relevantTechniques:
- T1078
tactics:
- InitialAccess
triggerThreshold: 0
{
"$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentTemplate.json#",
"contentVersion": "1.0.0.0",
"parameters": {
"workspace": {
"type": "String"
}
},
"resources": [
{
"id": "[concat(resourceId('Microsoft.OperationalInsights/workspaces/providers', parameters('workspace'), 'Microsoft.SecurityInsights'),'/alertRules/f041e01d-840d-43da-95c8-4188f6cef546')]",
"name": "[concat(parameters('workspace'),'/Microsoft.SecurityInsights/f041e01d-840d-43da-95c8-4188f6cef546')]",
"type": "Microsoft.OperationalInsights/workspaces/providers/alertRules",
"kind": "Scheduled",
"apiVersion": "2022-11-01-preview",
"properties": {
"displayName": "GitHub Activites from a New Country",
"description": "'Detect activities from a location that was not recently or was never visited by the user or by any user in your organization.'\n",
"severity": "Medium",
"enabled": true,
"query": "let LearningPeriod = 7d;\nlet RunTime = 1h;\nlet StartTime = 1h;\nlet EndRunTime = StartTime - RunTime;\nlet EndLearningTime = StartTime + LearningPeriod;\nlet GitHubCountryCodeLogs = (GitHubAuditData\n| where Country != \"\");\n GitHubCountryCodeLogs\n| where TimeGenerated between (ago(EndLearningTime) .. ago(StartTime))\n| summarize makeset(Country) by Actor\n| join kind=innerunique (\n GitHubCountryCodeLogs\n | where TimeGenerated between (ago(StartTime) .. ago(EndRunTime))\n | distinct Country, Actor, TimeGenerated\n) on Actor \n| where set_Country !contains Country\n| extend AccountCustomEntity = Actor , timestamp = TimeGenerated\n",
"queryFrequency": "P1D",
"queryPeriod": "P7D",
"triggerOperator": "GreaterThan",
"triggerThreshold": 0,
"suppressionDuration": "PT1H",
"suppressionEnabled": false,
"tactics": [
"InitialAccess"
],
"techniques": [
"T1078"
],
"alertRuleTemplateName": "f041e01d-840d-43da-95c8-4188f6cef546",
"customDetails": null,
"entityMappings": [
{
"fieldMappings": [
{
"identifier": "FullName",
"columnName": "AccountCustomEntity"
}
],
"entityType": "Account"
}
],
"templateVersion": "1.0.0",
"OriginalUri": "https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/GitHub/Analytic Rules/(Preview) GitHub - Activities from Infrequent Country.yaml",
"status": "Available"
}
}
]
}