Adversaries may be using blocked IP addresses to bypass network defenses and gain unauthorized access to Microsoft Entra ID. SOC teams should proactively hunt for this behavior to identify potential credential compromise or lateral movement attempts in their Azure Sentinel environment.
KQL Query
let aadFunc = (tableName:string){
CommonSecurityLog
| where DeviceVendor =~ "Cisco"
| where DeviceAction =~ "denied"
| where ipv4_is_private(SourceIP) == false
| summarize count() by SourceIP
| join (
// Successful signins from IPs blocked by the firewall solution are suspect
// Include fully successful sign-ins, but also ones that failed only at MFA stage
// as that supposes the password was sucessfully guessed.
table(tableName)
| where ResultType in ("0", "50074", "50076")
) on $left.SourceIP == $right.IPAddress
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
id: 157c0cfc-d76d-463b-8755-c781608cdc1a
name: Cisco - firewall block but success logon to Microsoft Entra ID
description: |
'Correlate IPs blocked by a Cisco firewall appliance with successful Microsoft Entra ID signins.
Because the IP was blocked by the firewall, that same IP logging on successfully to Entra ID is potentially suspect and could indicate credential compromise for the user account.'
severity: Medium
requiredDataConnectors:
- connectorId: CiscoASA
dataTypes:
- CommonSecurityLog
- connectorId: AzureActiveDirectory
dataTypes:
- SigninLogs
- connectorId: AzureActiveDirectory
dataTypes:
- AADNonInteractiveUserSignInLogs
queryFrequency: 1d
queryPeriod: 1d
triggerOperator: gt
triggerThreshold: 0
tactics:
- InitialAccess
relevantTechniques:
- T1078
query: |
let aadFunc = (tableName:string){
CommonSecurityLog
| where DeviceVendor =~ "Cisco"
| where DeviceAction =~ "denied"
| where ipv4_is_private(SourceIP) == false
| summarize count() by SourceIP
| join (
// Successful signins from IPs blocked by the firewall solution are suspect
// Include fully successful sign-ins, but also ones that failed only at MFA stage
// as that supposes the password was sucessfully guessed.
table(tableName)
| where ResultType in ("0", "50074", "50076")
) on $left.SourceIP == $right.IPAddress
| extend AccountName = tostring(split(Account, "@")[0]), AccountUPNSuffix = tostring(split(Account, "@")[1])
};
let aadSignin = aadFunc("SigninLogs");
let aadNonInt = aadFunc("AADNonInteractiveUserSignInLogs");
union isfuzzy=true aadSignin, aadNonInt
entityMappings:
- entityType: Account
fieldMappings:
- identifier: FullName
columnName: UserPrincipalName
- identifier: Name
columnName: AccountName
- identifier: UPNSuffix
columnName: AccountUPNSuffix
- entityType: IP
fieldMappings:
- identifier: Address
columnName: SourceIP
version: 1.0.6
kind: Scheduled
metadata:
source:
kind: Community
author:
name: Microsoft Security Resarch
support:
tier: Community
categories:
domains: [ "Security - Network" ]| Sentinel Table | Notes |
|---|---|
AADNonInteractiveUserSignInLogs | Ensure this data connector is enabled |
CommonSecurityLog | Ensure this data connector is enabled |
SigninLogs | Ensure this data connector is enabled |
Scenario: Scheduled Job for Password Reset via IP Address
Description: A scheduled job or automated script runs a password reset process for an admin, which uses a known IP address that is blocked by the firewall (e.g., due to a misconfigured rule).
Filter/Exclusion: Exclude IP addresses associated with internal administrative tools like Azure AD Password Reset or Microsoft Entra ID Password Reset. Use a filter like:
(src_ip IN (IPs associated with Azure AD Password Reset))Scenario: System Health Monitoring Tool Sign-In
Description: A system health monitoring tool (e.g., Microsoft Intune, Microsoft Endpoint Manager, or Microsoft Defender for Endpoint) logs in to Microsoft Entra ID using a known IP address that was recently blocked by the firewall during a security update or policy change.
Filter/Exclusion: Exclude IPs associated with Microsoft Intune or Microsoft Endpoint Manager services. Use a filter like:
(src_ip IN (IPs used by Microsoft Intune or Microsoft Endpoint Manager))Scenario: Automated Backup Job Sign-In
Description: An automated backup job (e.g., Veeam, Commvault, or Microsoft Azure Backup) authenticates to Microsoft Entra ID using an IP address that was temporarily blocked by the firewall during a network maintenance window.
Filter/Exclusion: Exclude IPs associated with backup tools or cloud backup services. Use a filter like:
(src_ip IN (IPs used by Veeam or Azure Backup))Scenario: Admin Task via Remote Desktop or PowerShell Remoting
Description: An admin performs a task remotely using Remote Desktop or PowerShell Remoting from an IP address that was blocked by the firewall