Azure Active Directory High Risk User Sign-in Heuristic

Last updated a year ago on 2024-05-21

Created 4 years ago on 2021-10-18

About

Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.

Tags

Domain: CloudData Source: AzureUse Case: Identity and Access AuditTactic: Initial AccessLanguage: kuery

Severity

medium

Risk Score

MITRE ATT&CK™

Initial Access (TA0001)(opens in a new tab or window)

↳ Valid Accounts (T1078)(opens in a new tab or window)

License

Elastic License v2(opens in a new tab or window)

Definition

Rule Type: Query (Kibana Query Language)
Integration Pack: Prebuilt Security Detection Rules
Index Patterns: filebeat-*logs-azure*
Related Integrations: azure(opens in a new tab or window)
Query

event.dataset:azure.signinlogs and
  azure.signinlogs.properties.risk_state:("confirmedCompromised" or "atRisk") and event.outcome:(success or Success)

Install detection rules in Elastic Security

Detect Azure Active Directory High Risk User Sign-in Heuristic in the Elastic Security detection engine by installing this rule into your Elastic Stack.

To setup this rule, check out the installation guide for Prebuilt Security Detection Rules(opens in a new tab or window).