Detectionhightest
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Azureriskdetection
ProductAzure← raw: azure
Serviceriskdetection← raw: riskdetection
Detection Logic
Detection Logic1 selector
detection:
selection:
riskEventType: 'anonymizedIPAddress'
condition: selectionFalse Positives
We recommend investigating the sessions flagged by this detection in the context of other sign-ins
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
53acd925-2003-440d-a1f3-71a5253fe237
Status
test
Level
high
Type
Detection
Created
Tue Aug 22
Author
Path
rules/cloud/azure/identity_protection/azure_identity_protection_anonymous_ip_address.yml
Raw Tags
attack.t1528attack.credential-access