Castaldio86/Correlate Unfamiliar sign-in properties and atypical travel alerts

## Correlate Unfamiliar sign-in properties and atypical travel alerts
let TimeFrame = ago(1d);
let Alert1 =
SecurityAlert
| where TimeGenerated > TimeFrame
| where AlertName == "Unfamiliar sign-in properties"
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
| extend Alert1Time = TimeGenerated
| extend Alert1 = AlertName
| extend Alert1Severity = AlertSeverity
;
let Alert2 =
SecurityAlert
| where TimeGenerated > TimeFrame
| where AlertName == "Atypical travel"
| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
| extend Alert2Time = TimeGenerated
| extend Alert2 = AlertName
| extend Alert2Severity = AlertSeverity
| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))
| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), "|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))
| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)
| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)
;
Alert1
| join kind=inner Alert2 on UserPrincipalName
| where (Alert1Time - Alert2Time) between (-10min..10min)
| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress
| extend AccountCustomEntity = UserPrincipalName
| extend IPCustomEntity = CurrentIPAddress
	let TimeFrame = ago(1d);
	let Alert1 =
	SecurityAlert
	\| where TimeGenerated > TimeFrame
	\| where AlertName == "Unfamiliar sign-in properties"
	\| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
	\| extend Alert1Time = TimeGenerated
	\| extend Alert1 = AlertName
	\| extend Alert1Severity = AlertSeverity
	;
	let Alert2 =
	SecurityAlert
	\| where TimeGenerated > TimeFrame
	\| where AlertName == "Atypical travel"
	\| extend UserPrincipalName = tostring(parse_json(ExtendedProperties).["User Account"])
	\| extend Alert2Time = TimeGenerated
	\| extend Alert2 = AlertName
	\| extend Alert2Severity = AlertSeverity
	\| extend CurrentLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[1].Location)).CountryCode), "\|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).State), "\|", tostring(parse_json(tostring(parse_json(Entities)[1].Location)).City))
	\| extend PreviousLocation = strcat(tostring(parse_json(tostring(parse_json(Entities)[2].Location)).CountryCode), "\|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).State), "\|", tostring(parse_json(tostring(parse_json(Entities)[2].Location)).City))
	\| extend CurrentIPAddress = tostring(parse_json(Entities)[1].Address)
	\| extend PreviousIPAddress = tostring(parse_json(Entities)[2].Address)
	;
	Alert1
	\| join kind=inner Alert2 on UserPrincipalName
	\| where (Alert1Time - Alert2Time) between (-10min..10min)
	\| project UserPrincipalName, Alert1, Alert1Time, Alert1Severity, Alert2, Alert2Time, Alert2Severity, CurrentLocation, PreviousLocation, CurrentIPAddress, PreviousIPAddress
	\| extend AccountCustomEntity = UserPrincipalName
	\| extend IPCustomEntity = CurrentIPAddress