Update Sign-in Burst from Multiple Locations.yaml

2020-11-04 11:36:51 +02:00 · 2020-11-04 11:36:51 +02:00 · 178c303985
--- a/Detections/SigninLogs/Sign-in
+++ b/Detections/SigninLogs/Sign-in
@ -16,11 +16,11 @@ tactics:
 relevantTechniques:
  - T1110
 query: |
-  let RunTime = 1h;
+    let RunTime = 1h;
  SigninLogs
  | where TimeGenerated > ago(RunTime)
  | where AppDisplayName == "GitHub.com"
  | where ResultType == 0
-  | summarize CountOfLocations = dcount(Location), Locations = make_set(Location) by UserPrincipalName
+  | summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName
  | where CountOfLocations > 1
-  | extend AccountCustomEntity = UserPrincipalName , timestamp = TimeGenerated
+  | extend AccountCustomEntity = UserPrincipalName