Skip to main content

RULE-1725 - Azure activity from known IP [MISP]

Hacking.jpeg

General

This rule compares activity in Azure to the data in your MISP source. If activity is detected from an IP address known to MISP, an alarm is raised.

Rationale

Misp-logo.pngThe MISP source serves as a repository of indicators that indicate malicious behavior. Such details are obtained from research into previous attacks on other organizations. Exchanging that data ensures that new similar attacks are detected in a timely manner. By mixing the data with logs in the Microsoft tenant, detection is active and Attic helps with rapid incident handling.

Attic currently supports the following MISP sources:

z-cert logo.svg
Z-CERT
ibd-logo.jpg
IBD from VNG
ferm-logo.jpg
FERM Rotterdam
MISP sources in Attic

Use of these sources is only permitted for the intended target group, which Attic will validate per customer. 

Manual follow-up

Follow these steps to follow up on this detection:

  1. Open the Entra admin portal https://entra.microsoft.com
  2. Under Identity and Monitoring & Health and then Sign-in logs
  3. Find out how the account was logged in
  4. Investigate the login attempt and only if it can be determined that the alarm is not a false positive:
    1. Block the user account
    2. Reset the password and revoke logged-in sessions
    3. Investigate the account for suspicious behavior or changed authentication methods and suspicious App Consents. Also check the mailbox for any forwarding rules. Zolder can assist with this.
    4. Only when the account is free for use again, enable it again.

More information

  1. https://atticsecurity.com/misp2sentinel/

Comments

0 comments

Please sign in to leave a comment.