Detectionhightest

Sign-In From Malware Infected IP

Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Sun Sep 03821b4dc3-1295-41e7-b157-39ab212dd6bdcloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'malwareInfectedIPAddress'
    condition: selection

False Positives

Using an IP address that is shared by many users

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

821b4dc3-1295-41e7-b157-39ab212dd6bd

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_malware_linked_ip.yml

Raw Tags

attack.t1090attack.command-and-control