Analytics rule: Successful logon from IP and failure from a different IP


Hi All,


I am trying to understand the concept behind the rule "Successful logon from IP and failure from a different IP". So it is triggering multiple alerts & it does match the condition because I see two different ip. Common codes I am seeing "50058, 50126, 50076 & 50173". We do have a vpn in place so one of the ip I do see sometimes coming from vpn.  I am trying to find out what will be the best way to check if this is something true-positive or false-positive?

4 Replies

@msef280 you could add the logic in the query to exclude your known addresses


| where IPAddress != "" 


or you could look at adding logic that looked at user agents as well as the IP address? If the user agent is the same for both sign-ins then it is less likely to be malicious

Hi m_zorich ,

Is there any way I can exclude the subnet range? let's say out vpn address first 3 octatate is always 165.225.208.*

| where IPAddress !startswith "165.225.208."
| where IPAddress contains "165.225.208."