Activity From Anonymous IP Address

Sep 6, 2023 · attack.t1078 attack.persistence attack.defense_evasion attack.privilege_escalation attack.initial_access ·

Share on:

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Sigma rule (View on GitHub)

 1title: Activity From Anonymous IP Address
 2id: be4d9c86-d702-4030-b52e-c7859110e5e8
 3status: experimental
 4description: Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
 5references:
 6    - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#activity-from-anonymous-ip-address
 7    - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023/09/03
10tags:
11    - attack.t1078
12    - attack.persistence
13    - attack.defense_evasion
14    - attack.privilege_escalation
15    - attack.initial_access
16logsource:
17    product: azure
18    service: riskdetection
19detection:
20    selection:
21        riskEventType: 'riskyIPAddress'
22    condition: selection
23falsepositives:
24    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
25level: high

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Explaining risk in Microsoft Entra ID Protection

Read More
Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Activity From Anonymous IP Address

Sigma rule (View on GitHub)

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules