StealthTalk - Multi new devices registration

let LookbackPeriod = 24h;
let MinNewDevices  = 2;
StealthTalkAnomalousAuth_CL
| where TimeGenerated >= ago(LookbackPeriod)
| where EventType == "NewDeviceLogin"
| summarize
    NewDeviceCount  = dcount(NewDeviceId),
    NewDevices      = make_set(NewDeviceId),
    NewDeviceOSList = make_set(NewDeviceOS),
    FirstSeen       = min(TimeGenerated),
    LastSeen        = max(TimeGenerated),
    AppVersions     = make_set(AppVersion)
  by UserId
| where NewDeviceCount >= MinNewDevices
| extend
    AlertName    = "MultiNewDevicesRegistration",
    AlertDetails = strcat(
        "User ", UserId,
        " registered ", NewDeviceCount, " new devices within 24 hours.",
        " Device IDs: ", tostring(NewDevices), ".",
        " Operating systems: ", tostring(NewDeviceOSList), "."
    )
| project
    TimeGenerated = LastSeen,
    UserId, NewDeviceCount, NewDevices, NewDeviceOSList,
    FirstSeen, LastSeen, AppVersions, AlertName, AlertDetails

version: 1.0.0
severity: Medium
query: |
  let LookbackPeriod = 24h;
  let MinNewDevices  = 2;
  StealthTalkAnomalousAuth_CL
  | where TimeGenerated >= ago(LookbackPeriod)
  | where EventType == "NewDeviceLogin"
  | summarize
      NewDeviceCount  = dcount(NewDeviceId),
      NewDevices      = make_set(NewDeviceId),
      NewDeviceOSList = make_set(NewDeviceOS),
      FirstSeen       = min(TimeGenerated),
      LastSeen        = max(TimeGenerated),
      AppVersions     = make_set(AppVersion)
    by UserId
  | where NewDeviceCount >= MinNewDevices
  | extend
      AlertName    = "MultiNewDevicesRegistration",
      AlertDetails = strcat(
          "User ", UserId,
          " registered ", NewDeviceCount, " new devices within 24 hours.",
          " Device IDs: ", tostring(NewDevices), ".",
          " Operating systems: ", tostring(NewDeviceOSList), "."
      )
  | project
      TimeGenerated = LastSeen,
      UserId, NewDeviceCount, NewDevices, NewDeviceOSList,
      FirstSeen, LastSeen, AppVersions, AlertName, AlertDetails  
queryPeriod: 1d
status: Available
alertDetailsOverride:
  alertDescriptionFormat: '{{AlertDetails}}'
  alertDisplayNameFormat: 'StealthTalk: Multi New Devices - {{UserId}} ({{NewDeviceCount}} new devices)'
suppressionEnabled: false
customDetails:
  NewDeviceCount: NewDeviceCount
  NewDevices: NewDevices
  LastSeen: LastSeen
  FirstSeen: FirstSeen
  NewDeviceOSList: NewDeviceOSList
tactics:
- Persistence
- InitialAccess
- DefenseEvasion
triggerOperator: gt
queryFrequency: 30m
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/StealthTalk/Analytic Rules/MultiNewDevicesRegistration.yaml
entityMappings:
- fieldMappings:
  - columnName: UserId
    identifier: Name
  entityType: Account
suppressionDuration: 5h
name: StealthTalk - Multi new devices registration
triggerThreshold: 0
description: |
  Identifies a single StealthTalk user registering two or more previously-unseen devices within
  a 24-hour window. Sudden registration of multiple new devices is a strong indicator of
  account takeover (an attacker enrolling their own device after credential theft) or
  device-farm abuse.

  The rule fires when a user produces two or more distinct NewDeviceId values within the
  lookback window, regardless of operating system. Look at the OSList custom detail to spot
  cross-platform patterns (e.g. an iOS-only user suddenly enrolling an Android device).  
incidentConfiguration:
  createIncident: true
  groupingConfiguration:
    enabled: true
    lookbackDuration: 5h
    matchingMethod: Selected
    groupByEntities:
    - Account
    reopenClosedIncident: false
id: f9d4c2a8-1b6e-4a3f-9c7d-8e2b1a3c5d7e
kind: Scheduled
relevantTechniques:
- T1078
- T1098
requiredDataConnectors:
- connectorId: StealthTalkAnomalousAuth
  dataTypes:
  - StealthTalkAnomalousAuth_CL