Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

Successful logins to SOC Prime platform from bad IP addresses

Back
Idf8e7d6c5-b4a3-4122-8110-0987654321fe
RulenameSuccessful logins to SOC Prime platform from bad IP addresses
DescriptionThis rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsSOCPrimeAuditLogsDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
Version1.0.0
Arm templatef8e7d6c5-b4a3-4122-8110-0987654321fe.json
Deploy To Azure
let blacklistIPs = _GetWatchlist('blacklistOfIps')
| project IPAddress = column_ifexists('ip','IPAddress');
SOCPrimeAuditLogs_CL
| where EventName == "Logged in to the SOC Prime Platform"
| where SourceIp in (blacklistIPs)
| project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: UserName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIp
tactics:
- InitialAccess
requiredDataConnectors:
- dataTypes:
  - SOCPrimeAuditLogs_CL
  connectorId: SOCPrimeAuditLogsDataConnector
id: f8e7d6c5-b4a3-4122-8110-0987654321fe
severity: Medium
status: Available
query: |
  let blacklistIPs = _GetWatchlist('blacklistOfIps')
  | project IPAddress = column_ifexists('ip','IPAddress');
  SOCPrimeAuditLogs_CL
  | where EventName == "Logged in to the SOC Prime Platform"
  | where SourceIp in (blacklistIPs)
  | project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type  
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
kind: Scheduled
queryPeriod: 1h
version: 1.0.0
name: Successful logins to SOC Prime platform from bad IP addresses
queryFrequency: 1h
triggerThreshold: 0
relevantTechniques:
- T1078
description: |
    'This rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)'
triggerOperator: gt