Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage
  1. Microsoft Sentinel Analytics Rules
  2. /
  3. Analytic Rules
  4. /
  5. Successful logins to SOC Prime platform from bad IP addresses

Successful logins to SOC Prime platform from bad IP addresses

Back
Idf8e7d6c5-b4a3-4122-8110-0987654321fe
RulenameSuccessful logins to SOC Prime platform from bad IP addresses
DescriptionThis rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)
SeverityMedium
TacticsInitialAccess
TechniquesT1078
Required data connectorsSOCPrimeAuditLogsDataConnector
KindScheduled
Query frequency1h
Query period1h
Trigger threshold0
Trigger operatorgt
Source Urihttps://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
Version1.0.0
Arm templatef8e7d6c5-b4a3-4122-8110-0987654321fe.json
Deploy To Azure
let blacklistIPs = _GetWatchlist('blacklistOfIps')
| project IPAddress = column_ifexists('ip','IPAddress');
SOCPrimeAuditLogs_CL
| where EventName == "Logged in to the SOC Prime Platform"
| where SourceIp in (blacklistIPs)
| project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type

OriginalUri: https://github.com/Azure/Azure-Sentinel/blob/master/Solutions/SOC Prime CCF/Analytic Rules/SuccessLoginFromBadIp.yaml
query: |
  let blacklistIPs = _GetWatchlist('blacklistOfIps')
  | project IPAddress = column_ifexists('ip','IPAddress');
  SOCPrimeAuditLogs_CL
  | where EventName == "Logged in to the SOC Prime Platform"
  | where SourceIp in (blacklistIPs)
  | project TimeGenerated, EventName, UserEmail, UserName, SourceIp, Uri, Type  
entityMappings:
- entityType: Account
  fieldMappings:
  - identifier: Name
    columnName: UserName
- entityType: IP
  fieldMappings:
  - identifier: Address
    columnName: SourceIp
kind: Scheduled
triggerOperator: gt
requiredDataConnectors:
- dataTypes:
  - SOCPrimeAuditLogs_CL
  connectorId: SOCPrimeAuditLogsDataConnector
tactics:
- InitialAccess
triggerThreshold: 0
description: |
    'This rule identifies successful logins from IP addresses previously flagged as malicious (e.g., botnets, TOR exit nodes, or known malicious IPs)'
queryPeriod: 1h
version: 1.0.0
queryFrequency: 1h
severity: Medium
name: Successful logins to SOC Prime platform from bad IP addresses
id: f8e7d6c5-b4a3-4122-8110-0987654321fe
status: Available
relevantTechniques:
- T1078