EXPLORE
Sign In
← Back to Explore
kqlHunting

SignIn From Suspicious IP

This query combines threat intelligence feeds with Entra ID sign-in information.

Detection Query

let IPs = ThreatIntelligenceIndicator
    | where isnotempty( NetworkSourceIP)
    | where ConfidenceScore > 70
    | distinct NetworkSourceIP;
AADSignInEventsBeta
| where IPAddress in (IPs)
| project TimeGenerated, AccountUpn, IPAddress, Country

Data Sources

AADSignInEventsBetaThreatIntelligenceIndicator

Platforms

azure-adazure-sentinelmicrosoft-defender

Tags

azure-active-directorythreat-intelligence
Raw Content
# SignIn From Suspicious IP

## Query Information

#### Description
This query combines threat intelligence feeds with Entra ID sign-in information.

## Defender XDR
```KQL
let IPs = ThreatIntelligenceIndicator
    | where isnotempty( NetworkSourceIP)
    | where ConfidenceScore > 70
    | distinct NetworkSourceIP;
AADSignInEventsBeta
| where IPAddress in (IPs)
| project TimeGenerated, AccountUpn, IPAddress, Country
```
## Sentinel
```KQL
let IPs = ThreatIntelligenceIndicator
    | where isnotempty( NetworkSourceIP)
    | where ConfidenceScore > 70
    | distinct NetworkSourceIP;
SigninLogs
| where IPAddress in (IPs)
| project TimeGenerated, UserPrincipalName, IPAddress, Location
```