Azure Active Directory risky sign-in

Set up the azure integration.


Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.


Monitor Azure Active Directory sign in activity ("Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").

Triage and response

  1. Analyze the location ( of {{}} to determine if they’re logging into from their usual location.
  2. If log in activity is not legitimate, disable {{}} account.
  3. Investigate any devices owned by {{}}.


14 June 2022 - Updated rule query.