Merge pull request #1093 from Castaldio86/patch-3
Create CorrelateIPC_Unfamiliar-Atypical
This commit is contained in:
Коммит
56998b4878
|
@ -0,0 +1,48 @@
|
|||
id: a3df4a32-4805-4c6d-8699-f3c888af2f67
|
||||
name: Correlate Unfamiliar sign-in properties and atypical travel alerts
|
||||
description: |
|
||||
'When a user has both an Unfamiliar sign-in properties alert and an Atypical travel alert within 20 minutes, the alert should be handled with a higher severity'
|
||||
severity: High
|
||||
requiredDataConnectors:
|
||||
- connectorId: AzureActiveDirectoryIdentityProtection
|
||||
dataTypes:
|
||||
- SecurityAlert (IPC)
|
||||
queryFrequency: 1d
|
||||
queryPeriod: 1d
|
||||
triggerOperator: gt
|
||||
triggerThreshold: 0
|
||||
tactics:
|
||||
- InitialAccess
|
||||
relevantTechniques:
|
||||
- T1078
|
||||
query: |
|
||||
let TimeFrame = ago(1d);
|
||||
let Alert1 =
|
||||
SecurityAlert
|
||||
| where TimeGenerated > TimeFrame
|
||||
| where AlertName == "Unfamiliar sign-in properties"
|
||||
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
|
||||
| extend Alert1Time = TimeGenerated
|
||||
| extend Alert1 = AlertName
|
||||
| extend Alert1Severity = AlertSeverity
|
||||
;
|
||||
let Alert2 =
|
||||
SecurityAlert
|
||||
| where TimeGenerated > TimeFrame
|
||||
| where AlertName == "Atypical travel"
|
||||
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
|
||||
| extend Alert2Time = TimeGenerated
|
||||
| extend Alert2 = AlertName
|
||||
| extend Alert2Severity = AlertSeverity
|
||||
| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))
|
||||
| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))
|
||||
| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)
|
||||
| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)
|
||||
;
|
||||
Alert1
|
||||
| join kind=inner Alert2 on UserPrincipalName
|
||||
| where (Alert1Time - Alert2Time) between (-10min..10min)
|
||||
| extend TimeDelta = Alert1Time - Alert2Time
|
||||
| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, TimeDelta, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress
|
||||
| extend AccountCustomEntity = UserPrincipalName
|
||||
| extend IPCustomEntity = CurrentIPAddress
|
Загрузка…
Ссылка в новой задаче