This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
let TimeFrame = ago(1d); | |
let Alert1 = | |
SecurityAlert | |
| where TimeGenerated > TimeFrame | |
| where AlertName == "Unfamiliar sign-in properties" | |
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"]) | |
| extend Alert1Time = TimeGenerated | |
| extend Alert1 = AlertName | |
| extend Alert1Severity = AlertSeverity | |
; | |
let Alert2 = | |
SecurityAlert | |
| where TimeGenerated > TimeFrame | |
| where AlertName == "Atypical travel" | |
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"]) | |
| extend Alert2Time = TimeGenerated | |
| extend Alert2 = AlertName | |
| extend Alert2Severity = AlertSeverity | |
| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City)) | |
| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City)) | |
| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address) | |
| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address) | |
; | |
Alert1 | |
| join kind=inner Alert2 on UserPrincipalName | |
| where (Alert1Time - Alert2Time) between (-10min..10min) | |
| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress | |
| extend AccountCustomEntity = UserPrincipalName | |
| extend IPCustomEntity = CurrentIPAddress |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
When I run this query it will produce output but there is no user name or account information so all I know is there was an Incident but no way of determining who.