Query Details

Sign In From Suspicious IP

Query

let IPs = ThreatIntelligenceIndicator
    | where isnotempty( NetworkSourceIP)
    | where ConfidenceScore > 70
    | distinct NetworkSourceIP;
AADSignInEventsBeta
| where IPAddress in (IPs)
| project TimeGenerated, AccountUpn, IPAddress, Country

About this query

SignIn From Suspicious IP

Query Information

Description

This query combines threat intelligence feeds with Entra ID sign-in information.

Defender XDR

Sentinel

let IPs = ThreatIntelligenceIndicator
    | where isnotempty( NetworkSourceIP)
    | where ConfidenceScore > 70
    | distinct NetworkSourceIP;
SigninLogs
| where IPAddress in (IPs)
| project TimeGenerated, UserPrincipalName, IPAddress, Location

Explanation

This query is designed to identify potentially suspicious sign-in attempts by comparing IP addresses from threat intelligence feeds with sign-in logs from Entra ID (Azure Active Directory). Here's a simple breakdown of what each part of the query does:

  1. Threat Intelligence Feed Filtering:

    • The query first looks at a data source called ThreatIntelligenceIndicator.
    • It filters this data to include only entries where the NetworkSourceIP is not empty and the ConfidenceScore is greater than 70, indicating a high likelihood that these IPs are associated with malicious activity.
    • It then creates a list of unique IP addresses from this filtered data.
  2. Sign-In Event Matching:

    • The query then checks sign-in events from Entra ID (using AADSignInEventsBeta for Defender XDR and SigninLogs for Sentinel).
    • It filters these sign-in events to include only those where the IP address matches one of the suspicious IPs identified in the first step.
    • For each matching sign-in event, it retrieves and displays the time of the event, the user's account name, the IP address used, and the geographical location (country or location) of the sign-in attempt.

In summary, this query helps security analysts identify sign-in attempts from IP addresses that are considered suspicious based on threat intelligence, allowing them to investigate potential security incidents.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

ThreatIntelligenceIndicatorAADSignInEventsBetaSigninLogs

Keywords

ThreatIntelligenceIndicatorAADSignInEventsBetaSigninLogs

Operators

letisnotemptywhere>distinctinproject

Actions

GitHub