Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Sigma rule (View on GitHub)
1title: Activity from Suspicious IP Addresses
2id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
3status: test
4description: |
5 Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
6 These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
7references:
8 - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
9 - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
10author: Austin Songer @austinsonger
11date: 2021-08-23
12modified: 2022-10-09
13tags:
14 - attack.command-and-control
15 - attack.t1573
16logsource:
17 service: threat_detection
18 product: m365
19detection:
20 selection:
21 eventSource: SecurityComplianceCenter
22 eventName: 'Activity from suspicious IP addresses'
23 status: success
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Activity from Anonymous IP Addresses
- Activity from Infrequent Country
- Suspicious SSL Connection
- ADSI-Cache File Creation By Uncommon Tool
- APT User Agent