Why does the "User Login from Different Countries" rule not contain IP addresses?

Occasional Contributor

Hey!

 

I'm currently looking at refreshing our rules for our Sentinel instance, but I've noticed that one of the default Msft rules, "User login from different countries within 3 hours (Uses Authentication Normalization)" has no IP address entity... why?...

 

Is there a way I can amend the below KQL to get the IP addresses to show? I've tried implementing SrcDvcIPAddr but no matter where or which way I put it in, always errors. Any help would be appreciated.

 

 

 

 

let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated > timeframe
| where EventType=='Logon' and EventResult=='Success'
| where isnotempty(SrcGeoCountry)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
  , NumOfCountries = dcount(SrcGeoCountry)
  by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries >= threshold
| extend timestamp = StartTime, AccountCustomEntity = TargetUsername

 

 

 

1 Reply

@CharlieK95 

Assuming the column containing the IP address is named "SrcDvcIPAddr", try this. 

I added "IPs=make_set(SrcDvcIPAddr)" to the summarize.

 

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
  , NumOfCountries = dcount(SrcGeoCountry), IPs=make_set(SrcDvcIPAddr)
  by TargetUserId, TargetUsername, TargetUserType