Activity from Suspicious IP Addresses
Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence. These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
Sigma rule (View on GitHub)
1title: Activity from Suspicious IP Addresses
2id: a3501e8e-af9e-43c6-8cd6-9360bdaae498
3status: test
4description: |
5 Detects when a Microsoft Cloud App Security reported users were active from an IP address identified as risky by Microsoft Threat Intelligence.
6 These IP addresses are involved in malicious activities, such as Botnet C&C, and may indicate compromised account.
7references:
8 - https://docs.microsoft.com/en-us/cloud-app-security/anomaly-detection-policy
9 - https://docs.microsoft.com/en-us/cloud-app-security/policy-template-reference
10author: Austin Songer @austinsonger
11date: 2021/08/23
12modified: 2022/10/09
13tags:
14 - attack.command_and_control
15 - attack.t1573
16logsource:
17 service: threat_detection
18 product: m365
19detection:
20 selection:
21 eventSource: SecurityComplianceCenter
22 eventName: 'Activity from suspicious IP addresses'
23 status: success
24 condition: selection
25falsepositives:
26 - Unknown
27level: medium
References
Related rules
- Activity from Anonymous IP Addresses
- Activity from Infrequent Country
- Suspicious SSL Connection
- Browser Execution In Headless Mode
- DNS Query Tor .Onion Address - Sysmon