Why does the "User Login from Different Countries" rule not contain IP addresses?

Question

Hey!&nbsp;I'm currently looking at refreshing our rules for our Sentinel instance, but I've noticed that one of the default Msft rules, "User login from different countries within 3 hours (Uses Authentication Normalization)" has no IP address entity... why?...&nbsp;Is there a way I can amend the below KQL to get the IP addresses to show? I've tried implementing SrcDvcIPAddr but no matter where or which way I put it in, always errors. Any help would be appreciated.&nbsp;&nbsp;&nbsp;&nbsp;let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated &gt; timeframe
| where EventType=='Logon' and EventResult=='Success'
| where isnotempty(SrcGeoCountry)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
  , NumOfCountries = dcount(SrcGeoCountry)
  by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries &gt;= threshold
| extend timestamp = StartTime, AccountCustomEntity = TargetUsername&nbsp;&nbsp;&nbsp;

jonhed · Answer

CharlieK95&nbsp;Assuming the column containing the IP address is named "SrcDvcIPAddr", try this.&nbsp;I added "IPs=make_set(SrcDvcIPAddr)" to the summarize.&nbsp;| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
  , NumOfCountries = dcount(SrcGeoCountry), IPs=make_set(SrcDvcIPAddr)
  by TargetUserId, TargetUsername, TargetUserType&nbsp;

Forum Discussion

Why does the "User Login from Different Countries" rule not contain IP addresses?

1 Reply

Resources