Alert Playbook - Cloud Identity

Login Context

Identify the normal user behavior and login details:
- Sentinel Query: CTS - Unified SignIn Logs
- Baseline: Country, Device Name, OS, OS version, Browser, User Agent
Does the login come from a Managed Device?

IP Address

Is the IP a potential VPN/Anonymizer?
Verify IP reputation:
- https://www.abuseipdb.com/
- https://www.virustotal.com/
- https://www.ipqualityscore.com/free-ip-lookup-proxy-vpn-test/lookup/
- https://scamalytics.com/
- https://www.google.com/
- https://talosintelligence.com/reputation_center/
Is it an Azure IP? Can help rule out FPs (ie. AVD login)
- https://azureipranges.azurewebsites.net/SearchFor?Ip=

Hunt for Context

Is the IP seen by other users in the past?
- Sentinel Query: CTS - Unified SignIn Logs -> Replace the field UserPrincipalName for IPAddress
Are there any hits for the IP in Defender? Can help identify if the IP is accessed from a Managed Device, and which process did it.
- Defender Query: search "x.x.x.x"
Verify the user's audit logs for suspicious activity:
- Sentinel Query: CTS - Audit Logs - User
Verify user position, name/surname country origin, OSINT, etc: Can help rule out benign travel activity.

Escalation Form

Fill out the form below before escalating an alert. Take a screenshot of the output or select and copy the entire page and share it with the relevant people:

Escalation Form - Cloud Identity