Sign In From Suspicious IP

# SignIn From Suspicious IP ## Query Information #### Description This query combines threat intelligence feeds with Entra ID sign-in information. ## Defender XDR ```KQL let IPs = ThreatIntelligenceIndicator | where isnotempty( NetworkSourceIP) | where ConfidenceScore > 70 | distinct NetworkSourceIP; AADSignInEventsBeta | where IPAddress in (IPs) | project TimeGenerated, AccountUpn, IPAddress, Country ``` ## Sentinel ```KQL let IPs = ThreatIntelligenceIndicator | where isnotempty( NetworkSourceIP) | where ConfidenceScore > 70 | distinct NetworkSourceIP; SigninLogs | where IPAddress in (IPs) | project TimeGenerated, UserPrincipalName, IPAddress, Location ```

Explanation

This query is designed to identify sign-ins from potentially suspicious IP addresses by combining threat intelligence data with sign-in logs from Entra ID (formerly Azure Active Directory). Here's a simple breakdown of what each part does:

Threat Intelligence Data:
- It pulls in IP addresses from a threat intelligence feed where the IP address is not empty and the confidence score is greater than 70. - It then creates a distinct list of these suspicious IP addresses.
Sign-In Logs:
- It checks the sign-in events to see if any of the sign-ins came from the suspicious IP addresses identified in the first step.
- It then extracts and displays specific details about these sign-ins, such as the time of the sign-in, the user's account name, the IP address, and the location.

For Defender XDR:

The query uses the AADSignInEventsBeta table to find and display the relevant sign-in events.

For Sentinel:

The query uses the SigninLogs table to find and display the relevant sign-in events.

In summary, this query helps in identifying and investigating sign-ins from IP addresses that are considered suspicious based on threat intelligence data.

KQL Search