Sign In From Suspicious IP
Query
let IPs = ThreatIntelligenceIndicator
| where isnotempty( NetworkSourceIP)
| where ConfidenceScore > 70
| distinct NetworkSourceIP;
AADSignInEventsBeta
| where IPAddress in (IPs)
| project TimeGenerated, AccountUpn, IPAddress, CountryAbout this query
SignIn From Suspicious IP
Query Information
Description
This query combines threat intelligence feeds with Entra ID sign-in information.
Defender XDR
Sentinel
let IPs = ThreatIntelligenceIndicator
| where isnotempty( NetworkSourceIP)
| where ConfidenceScore > 70
| distinct NetworkSourceIP;
SigninLogs
| where IPAddress in (IPs)
| project TimeGenerated, UserPrincipalName, IPAddress, Location
Explanation
This query is designed to identify potentially suspicious sign-in attempts by comparing IP addresses from threat intelligence feeds with sign-in logs from Entra ID (Azure Active Directory). Here's a simple breakdown of what each part of the query does:
-
Threat Intelligence Feed Filtering:
- The query first looks at a data source called
ThreatIntelligenceIndicator. - It filters this data to include only entries where the
NetworkSourceIPis not empty and theConfidenceScoreis greater than 70, indicating a high likelihood that these IPs are associated with malicious activity. - It then creates a list of unique IP addresses from this filtered data.
- The query first looks at a data source called
-
Sign-In Event Matching:
- The query then checks sign-in events from Entra ID (using
AADSignInEventsBetafor Defender XDR andSigninLogsfor Sentinel). - It filters these sign-in events to include only those where the IP address matches one of the suspicious IPs identified in the first step.
- For each matching sign-in event, it retrieves and displays the time of the event, the user's account name, the IP address used, and the geographical location (country or location) of the sign-in attempt.
- The query then checks sign-in events from Entra ID (using
In summary, this query helps security analysts identify sign-in attempts from IP addresses that are considered suspicious based on threat intelligence, allowing them to investigate potential security incidents.
Details

Bert-Jan Pals
Released: October 20, 2024
Tables
ThreatIntelligenceIndicatorAADSignInEventsBetaSigninLogs
Keywords
ThreatIntelligenceIndicatorAADSignInEventsBetaSigninLogs
Operators
letisnotemptywhere>distinctinproject