detection-rules icon indicating copy to clipboard operation
detection-rules copied to clipboard
verified publisher icon elastic

EQL querry (Missing IP Info)

Open dhyey0112 opened this issue 9 months ago • 3 comments

I’m building an Elastic detection rule to identify when a user logs in and subsequently modifies their MFA (StrongAuthenticationMethod). The goal is to detect suspicious activity patterns like: Account compromise followed by MFA change Bypassed MFA protections

A login event Followed by a change in MFA configuration for the same user

sequence by related.user [any where event.action == "UserLoggedIn"] [any where event.action == "modified-user-account" and o365.audit.ModifiedProperties.StrongAuthenticationMethod.NewValue != null]

What I’ve Tried: -Checked the raw document structure for event.action: "modified-user-account" -Queried all IP-related fields: source.ip, client.ip, o365.audit.ClientIP -Confirmed that UserLoggedIn events do contain the IP

Example Missing Field(s): -source.ip -client.ip -o365.audit.ClientIP

dhyey0112 avatar May 28 '25 14:05 dhyey0112

Pinging @elastic/security-detection-rule-management (Team:Detection Rule Management)

elasticmachine avatar Jun 26 '25 13:06 elasticmachine

@Mikaayenson I'm transferring this issue to https://github.com/elastic/detection-rules in case our team would be willing to help here and this could be considered a candidate for prebuilt rules.

banderror avatar Aug 21 '25 11:08 banderror

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

botelastic[bot] avatar Nov 29 '25 16:11 botelastic[bot]

This has been closed due to inactivity. If you feel this is an error, please re-open and include a justifying comment.

botelastic[bot] avatar Dec 06 '25 17:12 botelastic[bot]