Detectionmediumtest
Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Convert In Phoenix Studio
Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.
Launch
Log Source
Microsoft 365threat_detection
ProductMicrosoft 365← raw: m365
Servicethreat_detection← raw: threat_detection
Detection Logic
Detection Logic1 selector
detection:
selection:
eventSource: SecurityComplianceCenter
eventName: 'Activity from suspicious IP addresses'
status: success
condition: selectionFalse Positives
Unknown
False positive likelihood has not been assessed. Additional context may be needed during triage.
MITRE ATT&CK
Tactics
Techniques
Rule Metadata
Rule ID
a3501e8e-af9e-43c6-8cd6-9360bdaae498
Status
test
Level
medium
Type
Detection
Created
Mon Aug 23
Modified
Sun Oct 09
Author
Path
rules/cloud/m365/threat_detection/microsoft365_from_susp_ip_addresses.yml
Raw Tags
attack.command-and-controlattack.t1573