Forum Discussion
Anonymous IP address alert for users of iCloud private relay
We have had a few incidents of Anonymous IP address where the users are using iCloud Private Relay. My research shows me that Apple uses Cloudflare WARP service at the back end and that is what is triggering this. The first time it happened, I asked the user to disable private relay. Now I am not too sure. Is this really a threat that needs to be mitigated? I am on the fence to even disable the alert altogether. Thoughts?
There is a list , maybe you can compare the IP you are seeing with this? Suggestion: ipv4_is_match() - Azure Data Explorer & Real-Time Analytics | Microsoft Learn
let iCloudPRL = materialize(externaldata(IPRange: string, Country: string, Region: string, City: string)[
@"https://mask-api.icloud.com/egress-ip-ranges.csv"] with(format="csv", ignoreFirstRecord=True));
iCloudPRL- Just noticed that is an iCloud list of IP addresses. This IP address is owned by Cloudflare, and would not show there. Cloudflare works as a second relay for iCloud. See https://blog.cloudflare.com/icloud-private-relay/
Clive_Watson I did not find it in the list. I added this at the end of your KQL query.
| where IPRange == "2a09:bac2:85c8:2d2::48:67"
