user using a vpn or proxy

t1573
m365
sigma

Techniques

t1573

Sample rules

Activity from Anonymous IP Addresses

source: sigma
technicques:
- t1573

Description

Detects when a Microsoft Cloud App Security reported when users were active from an IP address that has been identified as an anonymous proxy IP address.

Detection logic

condition: selection
selection:
  eventName: Activity from anonymous IP addresses
  eventSource: SecurityComplianceCenter
  status: success