Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Successful logins to SOC Prime platform from bad IP addresses

Successful logins to SOC Prime platform from bad IP addresses

Back
Idf8e7d6c5-b4a3-4122-8110-0987654321fe
RulenameSuccessful logins to SOC Prime platform from bad IP addresses
DescriptionThis rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsSOCPrimeAuditLogsDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
Version1.0.0
Arm templatef8e7d6c5-b4a3-4122-8110-0987654321fe.json
Deploy To Azure
let blacklistIPs = _GetWatchlist('blacklistOfIps')
| project IPAddress = column_ifexists('ip','IPAddress');
SOCPrimeAuditLogs_CL
| where EventName == "Logged in to the SOC Prime Platform"
| where SourceIp in (blacklistIPs)
| project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type

version: 1.0.0
severity: Medium
query: |
  let blacklistIPs = _GetWatchlist('blacklistOfIps')
  | project IPAddress = column_ifexists('ip','IPAddress');
  SOCPrimeAuditLogs_CL
  | where EventName == "Logged in to the SOC Prime Platform"
  | where SourceIp in (blacklistIPs)
  | project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type  
queryPeriod: 1h
status: Available
kind: Scheduled
tactics:
- InitialAccess
triggerOperator: gt
queryFrequency: 1h
OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
entityMappings:
- fieldMappings:
  - columnName: UserName
    identifier: Name
  entityType: Account
- fieldMappings:
  - columnName: SourceIp
    identifier: Address
  entityType: IP
name: Successful logins to SOC Prime platform from bad IP addresses
triggerThreshold: 0
description: |
    'This rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)'
id: f8e7d6c5-b4a3-4122-8110-0987654321fe
relevantTechniques:
- T1078
requiredDataConnectors:
- connectorId: SOCPrimeAuditLogsDataConnector
  dataTypes:
  - SOCPrimeAuditLogs_CL