<  Back to rules search

Azure Active Directory Risky Sign-In


Set up the azure integration.



Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.


Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").

Triage and response

  1. Analyze the location (@network.client.geoip.subdivision.name) of {{@usr.id}} to determine if they’re logging into from their usual location.
  2. If log in activity is not legitimate, disable {{@usr.id}} account.
  3. Investigate any devices owned by {{@usr.id}}.