Why does the "User Login from Different Countries" rule not contain IP addresses?

%3CLINGO-SUB%20id%3D%22lingo-sub-3278769%22%20slang%3D%22en-US%22%3EWhy%20does%20the%20%22User%20Login%20from%20Different%20Countries%22%20rule%20not%20contain%20IP%20addresses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3278769%22%20slang%3D%22en-US%22%3E%3CP%3EHey!%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI'm%20currently%20looking%20at%20refreshing%20our%20rules%20for%20our%20Sentinel%20instance%2C%20but%20I've%20noticed%20that%20one%20of%20the%20default%20Msft%20rules%2C%20%22User%20login%20from%20different%20countries%20within%203%20hours%20(Uses%20Authentication%20Normalization)%22%20has%20no%20IP%20address%20entity...%20why%3F...%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIs%20there%20a%20way%20I%20can%20amend%20the%20below%20KQL%20to%20get%20the%20IP%20addresses%20to%20show%3F%20I've%20tried%20implementing%20SrcDvcIPAddr%20but%20no%20matter%20where%20or%20which%20way%20I%20put%20it%20in%2C%20always%20errors.%20Any%20help%20would%20be%20appreciated.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3Elet%20timeframe%20%3D%20ago(3h)%3B%0Alet%20threshold%20%3D%202%3B%0AimAuthentication%0A%7C%20where%20TimeGenerated%20%26gt%3B%20timeframe%0A%7C%20where%20EventType%3D%3D'Logon'%20and%20EventResult%3D%3D'Success'%0A%7C%20where%20isnotempty(SrcGeoCountry)%0A%7C%20summarize%20StartTime%20%3D%20min(TimeGenerated)%2C%20EndTime%20%3D%20max(TimeGenerated)%2C%20Vendors%3Dmake_set(EventVendor)%2C%20Products%3Dmake_set(EventProduct)%0A%20%20%2C%20NumOfCountries%20%3D%20dcount(SrcGeoCountry)%0A%20%20by%20TargetUserId%2C%20TargetUsername%2C%20TargetUserType%0A%7C%20where%20NumOfCountries%20%26gt%3B%3D%20threshold%0A%7C%20extend%20timestamp%20%3D%20StartTime%2C%20AccountCustomEntity%20%3D%20TargetUsername%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-3278769%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3EKQL%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-3278846%22%20slang%3D%22en-US%22%3ERe%3A%20Why%20does%20the%20%22User%20Login%20from%20Different%20Countries%22%20rule%20not%20contain%20IP%20addresses%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-3278846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F1274406%22%20target%3D%22_blank%22%3E%40CharlieK95%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAssuming%20the%20column%20containing%20the%20IP%20address%20is%20named%20%22SrcDvcIPAddr%22%2C%20try%20this.%26nbsp%3B%3C%2FP%3E%3CP%3EI%20added%20%22IPs%3Dmake_set(SrcDvcIPAddr)%22%20to%20the%20summarize.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CPRE%20class%3D%22lia-code-sample%20language-applescript%22%3E%3CCODE%3E%7C%20summarize%20StartTime%20%3D%20min(TimeGenerated)%2C%20EndTime%20%3D%20max(TimeGenerated)%2C%20Vendors%3Dmake_set(EventVendor)%2C%20Products%3Dmake_set(EventProduct)%0A%20%20%2C%20NumOfCountries%20%3D%20dcount(SrcGeoCountry)%2C%20IPs%3Dmake_set(SrcDvcIPAddr)%0A%20%20by%20TargetUserId%2C%20TargetUsername%2C%20TargetUserType%3C%2FCODE%3E%3C%2FPRE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hey!

 

I'm currently looking at refreshing our rules for our Sentinel instance, but I've noticed that one of the default Msft rules, "User login from different countries within 3 hours (Uses Authentication Normalization)" has no IP address entity... why?...

 

Is there a way I can amend the below KQL to get the IP addresses to show? I've tried implementing SrcDvcIPAddr but no matter where or which way I put it in, always errors. Any help would be appreciated.

 

 

 

 

let timeframe = ago(3h);
let threshold = 2;
imAuthentication
| where TimeGenerated > timeframe
| where EventType=='Logon' and EventResult=='Success'
| where isnotempty(SrcGeoCountry)
| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
  , NumOfCountries = dcount(SrcGeoCountry)
  by TargetUserId, TargetUsername, TargetUserType
| where NumOfCountries >= threshold
| extend timestamp = StartTime, AccountCustomEntity = TargetUsername

 

 

 

1 Reply

@CharlieK95 

Assuming the column containing the IP address is named "SrcDvcIPAddr", try this. 

I added "IPs=make_set(SrcDvcIPAddr)" to the summarize.

 

| summarize StartTime = min(TimeGenerated), EndTime = max(TimeGenerated), Vendors=make_set(EventVendor), Products=make_set(EventProduct)
  , NumOfCountries = dcount(SrcGeoCountry), IPs=make_set(SrcDvcIPAddr)
  by TargetUserId, TargetUsername, TargetUserType