Forum Discussion
Why does the "User Login from Different Countries" rule not contain IP addresses?
Hey! I'm currently looking at refreshing our rules for our Sentinel instance, but I've noticed that one of the default Msft rules, "User login from different countries within 3 hours (Uses Authen...
Assuming the column containing the IP address is named "SrcDvcIPAddr", try this.
I added "IPs=make_set(SrcDvcIPAddr)" to the summarize.
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
, NumOfCountries = dcount(SrcGeoCountry), IPs=make_set(SrcDvcIPAddr)
by TargetUserId, TargetUsername, TargetUserType