kingslavcho
New Member
- Joined
- Nov 21, 2022
- Messages
- 2
- Thread Author
- #1
Hello dear friends.
I wanted to ask you about some logs that from my exchange server which i catch with qradar. They are all with qid: 5000830 or eventid:4624 which is a successful login to a server or anything.
I use a rule which tells me if someone logs in to the exchange server from an external IP out of my country.
The problem is that i get logs with qid: 5000830 or eventid:4624 and a big part of the IPs when i check them the ISP is Microsoft Corporation, services: Datacenter. I have doubts about this IPs and i think that are fraudulent. I check then on ipqualityscore also and there the fraud score is 65. What do you think about this? I also read that the Microsoft corporation has partnered up with some company to provide some internet services but i am not so sure about this.. If the IPs are fraudulent i am quite sure that i have to disable some accounts and change passwords also..
In the attachment are the results from both of the web services i use to check the IPs that connect to my exchange server..
Can you please tell me if these results are false positive and the behavior of the exchange server is normal or the connections are from a fraudulent IPs which i have to block on my firewall and also disable users and change their password..
Thank you!
I wanted to ask you about some logs that from my exchange server which i catch with qradar. They are all with qid: 5000830 or eventid:4624 which is a successful login to a server or anything.
I use a rule which tells me if someone logs in to the exchange server from an external IP out of my country.
The problem is that i get logs with qid: 5000830 or eventid:4624 and a big part of the IPs when i check them the ISP is Microsoft Corporation, services: Datacenter. I have doubts about this IPs and i think that are fraudulent. I check then on ipqualityscore also and there the fraud score is 65. What do you think about this? I also read that the Microsoft corporation has partnered up with some company to provide some internet services but i am not so sure about this.. If the IPs are fraudulent i am quite sure that i have to disable some accounts and change passwords also..
In the attachment are the results from both of the web services i use to check the IPs that connect to my exchange server..
Can you please tell me if these results are false positive and the behavior of the exchange server is normal or the connections are from a fraudulent IPs which i have to block on my firewall and also disable users and change their password..
Thank you!