Analytics rule: Successful logon from IP and failure from a different IP

Occasional Contributor

Hi All,


I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts & it does match the condition because I see two different ip. Common codes I am seeing "50058, 50126, 50076 & 50173". We do have a vpn in place so one of the ip I do see sometimes coming from vpn.  I am trying to find out what will be the best way to check if this is something true-positive or false-positive?

1 Reply

@msef280 you could add the logic in the query to exclude your known addresses


| where IPAddress != "" 


or you could look at adding logic that looked at user agents as well as the IP address? If the user agent is the same for both sign-ins then it is less likely to be malicious