Azure Active Directory risky sign-in

azure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the azure integration.

Esta página aún no está disponible en español. Estamos trabajando en su traducción.
Si tienes alguna pregunta o comentario sobre nuestro actual proyecto de traducción, no dudes en ponerte en contacto con nosotros.

Goal

Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.

Strategy

Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").

Triage and response

  1. Analyze the location (@network.client.geoip.subdivision.name) of {{@usr.id}} to determine if they’re logging into from their usual location.
  2. If log in activity is not legitimate, disable {{@usr.id}} account.
  3. Investigate any devices owned by {{@usr.id}}.

Changelog

14 June 2022 - Updated rule query.