Azure Active Directory risky sign-in
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。
翻訳に関してご質問やご意見ございましたら、
お気軽にご連絡ください。
Goal
Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.
Strategy
Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity"
) and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised"
).
Triage and response
- Analyze the location (
@network.client.geoip.subdivision.name
) of {{@usr.id}}
to determine if they’re logging into from their usual location. - If log in activity is not legitimate, disable
{{@usr.id}}
account. - Investigate any devices owned by
{{@usr.id}}
.
Changelog
14 June 2022 - Updated rule query.