I am building a Chronicle detection rule for Azure AD sign-in logs. I want to detect events where a user logs in from an IP address that has not been observed on the same resource within the past 14 days. Could you please help on this...
Question
Detect New Azure AD Login IPs Not Seen in 14 Days
+4
+13Hello
In this rule excerpt I’m showing that we are classifying two events: One that represents the current login for the user, and one that represents the historical login. I'm also retrieving the IP address as part of this which you may need to modify to get the IP from the correct field.
I then use a match block with an "over” condition to check back 14 days.
Let me know if you have any thoughts around this.
events:
$current_login.metadata.event_type = "USER_LOGIN"
$current_login.metadata.product_event_type = "Sign-in activity"
current_login.security_result.action = "ALLOW"
$current_login.principal.user.userid = $user_id
$current_login.target.application.name = $resource_app_name
$current_login.source.ip = $ip_address
$historical_login.metadata.event_type = "USER_LOGIN"
$historical_login.metadata.product_event_type = "Sign-in activity" $historical_login.security_result.action = "ALLOW"
$historical_login.principal.user.userid = $user_id
$historical_login.target.application.name = $resource_app_name
$historical_login.source.ip = $ip_address
match:
$ip_address, $user_id, $resource_app_name over 14d
Login to the community
Login with SSO
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.