Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Successful logins to SOC Prime platform from bad IP addresses

Successful logins to SOC Prime platform from bad IP addresses

Back
Idf8e7d6c5-b4a3-4122-8110-0987654321fe
RulenameSuccessful logins to SOC Prime platform from bad IP addresses
DescriptionThis rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsSOCPrimeAuditLogsDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
Version1.0.0
Arm templatef8e7d6c5-b4a3-4122-8110-0987654321fe.json
Deploy To Azure
let blacklistIPs = _GetWatchlist('blacklistOfIps')
| project IPAddress = column_ifexists('ip','IPAddress');
SOCPrimeAuditLogs_CL
| where EventName == "Logged in to the SOC Prime Platform"
| where SourceIp in (blacklistIPs)
| project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type

relevantTechniques:
- T1078
queryFrequency: 1h
description: |
    'This rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)'
triggerThreshold: 0
id: f8e7d6c5-b4a3-4122-8110-0987654321fe
name: Successful logins to SOC Prime platform from bad IP addresses
queryPeriod: 1h
query: |
  let blacklistIPs = _GetWatchlist('blacklistOfIps')
  | project IPAddress = column_ifexists('ip','IPAddress');
  SOCPrimeAuditLogs_CL
  | where EventName == "Logged in to the SOC Prime Platform"
  | where SourceIp in (blacklistIPs)
  | project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type  
severity: Medium
triggerOperator: gt
entityMappings:
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
requiredDataConnectors:
- connectorId: SOCPrimeAuditLogsDataConnector
  dataTypes:
  - SOCPrimeAuditLogs_CL
status: Available
version: 1.0.0
tactics:
- InitialAccess
kind: Scheduled