CiscoDuo
| where EventType =~ 'authentication'
| where EventResult =~ 'success'
| where isnotempty(AccessDvcIpAddr)
| summarize dvc_ip = makeset(AccessDvcIpAddr) by DstUserName
| join (CiscoDuo
| where EventType =~ 'authentication'
| where EventResult =~ 'success') on DstUserName
| where dvc_ip !has AccessDvcIpAddr
| extend IPCustomEntity = AccessDvcIpAddr, AccountCustomEntity = DstUserName
queryPeriod: 14d
query: |
CiscoDuo
| where EventType =~ 'authentication'
| where EventResult =~ 'success'
| where isnotempty(AccessDvcIpAddr)
| summarize dvc_ip = makeset(AccessDvcIpAddr) by DstUserName
| join (CiscoDuo
| where EventType =~ 'authentication'
| where EventResult =~ 'success') on DstUserName
| where dvc_ip !has AccessDvcIpAddr
| extend IPCustomEntity = AccessDvcIpAddr, AccountCustomEntity = DstUserName
name: Cisco Duo - New access device
entityMappings:
- fieldMappings:
- columnName: IPCustomEntity
identifier: Address
entityType: IP
- fieldMappings:
- columnName: AccountCustomEntity
identifier: Name
entityType: Account
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/CiscoDuoSecurity/Analytic Rules/CiscoDuoNewAccessDevice.yaml
requiredDataConnectors:
- connectorId: CiscoDuoSecurity
dataTypes:
- CiscoDuo
description: |
'Detects new access device.'
kind: Scheduled
version: 1.0.0
status: Available
severity: Medium
relevantTechniques:
- T1078
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
id: f05271b6-26a5-49cf-ad73-4a202fba6eb6
