Entra ID Protection - Risk Detection - Sign-in Risk

About

Tags

Domain: CloudDomain: IdentityData Source: AzureData Source: Entra IDUse Case: Identity and Access AuditUse Case: Threat DetectionUse Case: Risk DetectionTactic: Initial AccessLanguage: kuery

Severity

high

Risk Score

73

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

Credential Access (TA0006)(opens in a new tab or window)

↳ Brute Force (T1110)(opens in a new tab or window)

↳ Modify Authentication Process (T1556)(opens in a new tab or window)

Command and Control (TA0011)(opens in a new tab or window)

↳ Application Layer Protocol (T1071)(opens in a new tab or window)

False Positive Examples

Users accessing their accounts from anonymized IP addresses, such as VPNs or Tor, may trigger this rule. If this is expected behavior in your environment, consider adjusting the rule or adding exceptions for specific users or IP ranges. Users who frequently travel or access their accounts from different geographic locations may trigger this rule due to the unlikely travel detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users. Users who have recently changed their passwords may trigger this rule due to the password spray detection mechanism. If this is expected behavior, consider adjusting the rule or adding exceptions for specific users.

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type

Query (Kibana Query Language)

Integration Pack

Prebuilt Security Detection Rules

Index Patterns

filebeat-*logs-azure.identity_protection-*

Related Integrations

azure(opens in a new tab or window)

Query

event.dataset: "azure.identity_protection" and
    event.action: "User Risk Detection" and
    azure.identityprotection.properties.activity: "signin"