Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
Sigma rule (View on GitHub)
1title: Malicious IP Address Sign-In Failure Rate
2id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
3status: experimental
4description: Indicates sign-in from a malicious IP address based on high failure rates.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#malicious-ip-address
7 - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
9date: 2023/09/07
10tags:
11 - attack.t1090
12 - attack.command_and_control
13logsource:
14 product: azure
15 service: riskdetection
16detection:
17 selection:
18 riskEventType: 'maliciousIPAddress'
19 condition: selection
20falsepositives:
21 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
22level: high
References
Related rules
- Malicious IP Address Sign-In Suspicious
- Sign-In From Malware Infected IP
- New Port Forwarding Rule Added Via Netsh.EXE
- Cloudflared Tunnel Connections Cleanup
- Cloudflared Tunnel Execution