Detectionhightest
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azureriskdetection
ProductAzure← raw: azure
Serviceriskdetection← raw: riskdetection
Detection Logic
Detection Logic1 selector
detection:
selection:
riskEventType: 'suspiciousIPAddress'
condition: selectionFalse Positives
We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
36440e1c-5c22-467a-889b-593e66498472
Status
test
Level
high
Type
Detection
Created
Thu Sep 07
Author
Path
rules/cloud/azure/identity_protection/azure_identity_protection_malicious_ip_address_suspicious.yml
Raw Tags
attack.t1090attack.command-and-control