Apr 07 2022 05:25 AM
Hey!
I'm currently looking at refreshing our rules for our Sentinel instance, but I've noticed that one of the default Msft rules, "User login from different countries within 3 hours (Uses Authentication Normalization)" has no IP address entity... why?...
Is there a way I can amend the below KQL to get the IP addresses to show? I've tried implementing SrcDvcIPAddr but no matter where or which way I put it in, always errors. Any help would be appreciated.
let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated > timeframe
| where EventType=='Logon' and EventResult=='Success'
| where isnotempty(SrcGeoCountry)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
, NumOfCountries = dcount(SrcGeoCountry)
by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries >= threshold
| extend timestamp = StartTime, AccountCustomEntity = TargetUsername
Apr 07 2022 06:41 AM
Assuming the column containing the IP address is named "SrcDvcIPAddr", try this.
I added "IPs=make_set(SrcDvcIPAddr)" to the summarize.
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
, NumOfCountries = dcount(SrcGeoCountry), IPs=make_set(SrcDvcIPAddr)
by TargetUserId, TargetUsername, TargetUserType