Malicious IP Address Sign-In Failure Rate

Aug 12, 2024 · attack.t1090 attack.command-and-control ·

Indicates sign-in from a malicious IP address based on high failure rates.

Sigma rule (View on GitHub)

 1title: Malicious IP Address Sign-In Failure Rate
 2id: a3f55ebd-0c01-4ed6-adc0-8fb76d8cd3cd
 3status: test
 4description: Indicates sign-in from a malicious IP address based on high failure rates.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#malicious-ip-address
 7    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
 8author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
 9date: 2023-09-07
10tags:
11    - attack.t1090
12    - attack.command-and-control
13logsource:
14    product: azure
15    service: riskdetection
16detection:
17    selection:
18        riskEventType: 'maliciousIPAddress'
19    condition: selection
20falsepositives:
21    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
22level: high

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Learn about risk detections, risk levels, and how they map to risk event types in Microsoft Entra ID Protection

Read More
Microsoft Entra security operations for user accounts - Microsoft Entra

Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.

Read More

Malicious IP Address Sign-In Failure Rate

Sigma rule (View on GitHub)

References

What are risks in Microsoft Entra ID Protection - Microsoft Entra ID Protection

Microsoft Entra security operations for user accounts - Microsoft Entra

Related rules