
Summary
This detection rule is designed to identify risk detections from Microsoft Entra ID Protection that are triggered by sign-in activities originating from anonymized IP addresses. Such IP addresses are often linked to anonymity networks like Tor, VPNs, or proxy services, which may indicate attempts to evade security measures or even account compromise activities. The rule focuses on sign-ins that occur from IPs categorized as anonymized, raising flags for potential security incidents. The investigation process involves validating the legitimacy of the IP addresses and user activities using various data points such as location, user agent strings, and historical sign-in patterns. False positives are possible, particularly in environments where users might legitimately employ anonymization tools for privacy reasons. Steps for analysis include validating geographic locations against known user patterns, checking threat intelligence feeds for the IP's reputation, and reviewing user behaviors in related logs. An established remediation strategy is essential for unauthorized sign-ins, including user notification and password resets.
Categories
- Cloud
- Identity Management
Data Sources
- User Account
- Cloud Service
- Application Log
ATT&CK Techniques
- T1090
Created: 2025-04-29