Update Sign-in Burst from Multiple Locations.yaml
Fixing first line in query to resolve yaml file validation issue, then will see if this resolves KQL validation issue, also adding in required timestamp entity mapping field.
This commit is contained in:
Родитель
46f9e2f48c
Коммит
a05f842898
|
@ -16,11 +16,12 @@ tactics:
|
|||
relevantTechniques:
|
||||
- T1110
|
||||
query: |
|
||||
let RunTime = 1h;
|
||||
|
||||
let RunTime = 1h;
|
||||
SigninLogs
|
||||
| where TimeGenerated > ago(RunTime)
|
||||
| where AppDisplayName == "GitHub.com"
|
||||
| where ResultType == 0
|
||||
| summarize CountOfLocations = dcount(Location), Locations = make_set(Location), BurstStartTime = min(TimeGenerated), BurstEndTime = max(TimeGenerated) by UserPrincipalName
|
||||
| where CountOfLocations > 1
|
||||
| extend AccountCustomEntity = UserPrincipalName
|
||||
| extend timestamp = BurstStartTime, AccountCustomEntity = UserPrincipalName
|
||||
|
|
Загрузка…
Ссылка в новой задаче