Jun 22 2021 12:22 PM
Hi All,
I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts & it does match the condition because I see two different ip. Common codes I am seeing "50058, 50126, 50076 & 50173". We do have a vpn in place so one of the ip I do see sometimes coming from vpn. I am trying to find out what will be the best way to check if this is something true-positive or false-positive?
Jun 23 2021 03:38 AM
@msef280 you could add the logic in the query to exclude your known addresses
| where IPAddress != "10.10.10.10"
or you could look at adding logic that looked at user agents as well as the IP address? If the user agent is the same for both sign-ins then it is less likely to be malicious
Aug 13 2021 12:32 PM
Aug 13 2021 02:38 PM
Aug 16 2021 12:53 AM