Analytics rule: Successful logon from IP and failure from a different IP

msef280 · ‎Jun 22 2021

Hi All,

I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts & it does match the condition because I see two different ip. Common codes I am seeing "50058, 50126, 50076 & 50173". We do have a vpn in place so one of the ip I do see sometimes coming from vpn. I am trying to find out what will be the best way to check if this is something true-positive or false-positive?

m_zorich · ‎Jun 23 2021

@msef280 you could add the logic in the query to exclude your known addresses

| where IPAddress != "10.10.10.10"

or you could look at adding logic that looked at user agents as well as the IP address? If the user agent is the same for both sign-ins then it is less likely to be malicious

msef280 · ‎Aug 13 2021

Hi m_zorich ,

Is there any way I can exclude the subnet range? let's say out vpn address first 3 octatate is always 165.225.208.*

m_zorich · ‎Aug 13 2021

Heya!

| where IPAddress !startswith "165.225.208."

msraj · ‎Aug 16 2021

| where IPAddress contains "165.225.208."

Analytics rule: Successful logon from IP and failure from a different IP

Analytics rule: Successful logon from IP and failure from a different IP

Re: Analytics rule: Successful logon from IP and failure from a different IP

Re: Analytics rule: Successful logon from IP and failure from a different IP

Re: Analytics rule: Successful logon from IP and failure from a different IP

Re: Analytics rule: Successful logon from IP and failure from a different IP

Products (50)

Special Topics (27)

Video Hub (462)

Most Active Hubs

Most Active Hubs

Video Hub

Analytics rule: Successful logon from IP and failure from a different IP