Activity from Suspicious IP Addresses

Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.

Sigma rule (View on GitHub)

 1title: Activity from Suspicious IP Addresses
 2id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
 3status: test
 4description: |
 5  Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
 6  These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.  
 7references:
 8    - https://learn.microsoft.com/en-us/defender-cloud-apps/anomaly-detection-policy
 9    - https://learn.microsoft.com/en-us/defender-cloud-apps/policy-template-reference
10author: Austin Songer @austinsonger
11date: 2021/08/23
12modified: 2022/10/09
13tags:
14    - attack.command_and_control
15    - attack.t1573
16logsource:
17    service: threat_detection
18    product: m365
19detection:
20    selection:
21        eventSource: SecurityComplianceCenter
22        eventName: 'Activity from suspicious IP addresses'
23        status: success
24    condition: selection
25falsepositives:
26    - Unknown
27level: medium

References

Related rules

to-top