LoFP / details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.

Techniques

• T1110
• T1110.003
• T1586
• T1586.003

Sample rules

Azure Active Directory High Risk Sign-in

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1110
  • T1110.003

Description

The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment.

Detection logic

`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_active_directory_high_risk_sign_in_filter`