Detectionmediumtest

Logon from a Risky IP Address

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Launch

Austin SongerCreated Mon Aug 23Updated Sun Oct 09c191e2fa-f9d6-4ccf-82af-4f2aba08359fcloud

Log Source

Microsoft 365threat_management

ProductMicrosoft 365← raw: m365

Servicethreat_management← raw: threat_management

Detection Logic

detection:
    selection:
        eventSource: SecurityComplianceCenter
        eventName: 'Log on from a risky IP address'
        status: success
    condition: selection

False Positives

Unknown

False positive likelihood has not been assessed. Additional context may be needed during triage.

References

MITRE ATT&CK

Tactics

TA0004 · Privilege Escalation TA0003 · Persistence TA0005 · Defense Evasion TA0001 · Initial Access

Techniques

T1078 · Valid Accounts

Rule Metadata

Rule ID

c191e2fa-f9d6-4ccf-82af-4f2aba08359f

Status

test

Level

medium

Type

Detection

Created

Mon Aug 23

Modified

Sun Oct 09

Author

Austin Songer

Path

rules/cloud/m365/threat_management/microsoft365_logon_from_risky_ip_address.yml

Raw Tags

attack.privilege-escalationattack.persistenceattack.defense-evasionattack.initial-accessattack.t1078

View on GitHub