Azure Active Directory risky sign-in

azure

Classification:

attack

Tactic:

TA0001-initial-access

Technique:

T1078-valid-accounts

Set up the azure integration.

Goal

Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.

Strategy

Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").

Triage and response

  1. Analyze the location (@network.client.geoip.subdivision.name) of {{@usr.id}} to determine if they’re logging into from their usual location.
  2. If log in activity is not legitimate, disable {{@usr.id}} account.
  3. Investigate any devices owned by {{@usr.id}}.

Changelog

14 June 2022 - Updated rule query.