Merge pull request #1093 from Castaldio86/patch-3

Create CorrelateIPC_Unfamiliar-Atypical
2020-09-25 09:19:04 -07:00 · 2020-09-25 09:19:04 -07:00 · 56998b4878
--- a/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical
+++ b/Detections/SecurityAlert/CorrelateIPC_Unfamiliar-Atypical
@ -0,0 +1,48 @@
+id: a3df4a32-4805-4c6d-8699-f3c888af2f67
+name: Correlate Unfamiliar sign-in properties and atypical travel alerts
+description: |
+  'When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity'
+severity: High
+requiredDataConnectors:
+  - connectorId: AzureActiveDirectoryIdentityProtection
+    dataTypes:
+      - SecurityAlert (IPC)
+queryFrequency: 1d
+queryPeriod: 1d
+triggerOperator: gt
+triggerThreshold: 0
+tactics:
+  - InitialAccess
+relevantTechniques:
+  - T1078
+query: |
+  let TimeFrame = ago(1d);
+  let Alert1 = 
+  SecurityAlert
+  | where TimeGenerated > TimeFrame
+  | where AlertName == "Unfamiliar sign-in properties"
+  | extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
+  | extend Alert1Time = TimeGenerated
+  | extend Alert1 = AlertName
+  | extend Alert1Severity = AlertSeverity
+  ;
+  let Alert2 = 
+  SecurityAlert
+  | where TimeGenerated > TimeFrame
+  | where AlertName == "Atypical travel"
+  | extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
+  | extend Alert2Time = TimeGenerated
+  | extend Alert2 = AlertName
+  | extend Alert2Severity = AlertSeverity
+  | extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))
+  | extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))
+  | extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)
+  | extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)
+  ;
+  Alert1
+  | join kind=inner Alert2 on UserPrincipalName
+  | where (Alert1Time - Alert2Time) between (-10min..10min)
+  | extend TimeDelta = Alert1Time - Alert2Time
+  | project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress
+  | extend AccountCustomEntity = UserPrincipalName
+  | extend IPCustomEntity = CurrentIPAddress