Azure Active Directory risky sign-in

azure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the azure integration.

이 페이지는 아직 한국어로 제공되지 않으며 번역 작업 중입니다. 번역에 관한 질문이나 의견이 있으시면 언제든지 저희에게 연락해 주십시오.

Goal

Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.

Strategy

Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").

Triage and response

  1. Analyze the location (@network.client.geoip.subdivision.name) of {{@usr.id}} to determine if they’re logging into from their usual location.
  2. If log in activity is not legitimate, disable {{@usr.id}} account.
  3. Investigate any devices owned by {{@usr.id}}.

Changelog

14 June 2022 - Updated rule query.