Analytics rule: Successful logon from IP and failure from a different IP

Question

Hi All,&nbsp;I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts &amp; it does match the condition because I see two different ip. Common codes I am seeing "50058, 50126, 50076 &amp; 50173". We do have a vpn in place so one of the ip I do see sometimes coming from vpn.&nbsp; I am trying to find out what will be the best way to check if this is something true-positive or false-positive?

m_zorich · Answer

msef280&nbsp;you could add the logic in the query to exclude your known addresses&nbsp;| where IPAddress != "10.10.10.10"&nbsp;&nbsp;or you could look at adding logic that looked at user agents as well as the IP address? If the user agent is the same for both sign-ins then it is less likely to be malicious

msef280 · Answer

Hi m_zorich ,Is there any way I can exclude the subnet range? let's say out vpn address first 3 octatate is always 165.225.208.*

m_zorich · Answer

Heya!| where IPAddress !startswith "165.225.208."

msraj · Answer

| where IPAddress contains "165.225.208."

Forum Discussion

Analytics rule: Successful logon from IP and failure from a different IP

4 Replies