Azure Active Directory risky sign-in

azure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the azure integration.

This page is not yet available in Spanish. We are working on its translation.
If you have any questions or feedback about our current translation project, feel free to reach out to us!

Goal

Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.

Strategy

Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").

Triage and response

  1. Analyze the location (@network.client.geoip.subdivision.name) of {{@usr.id}} to determine if they’re logging into from their usual location.
  2. If log in activity is not legitimate, disable {{@usr.id}} account.
  3. Investigate any devices owned by {{@usr.id}}.

Changelog

14 June 2022 - Updated rule query.