Techniques
Sample rules
Azure Active Directory High Risk Sign-in
- source: splunk
- technicques:
- T1586
- T1586.003
- T1110
- T1110.003
Description
The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.
Detection logic
`azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high
| rename properties.* as *
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo
| `security_content_ctime(firstTime)`
| `security_content_ctime(lastTime)`
| `azure_active_directory_high_risk_sign_in_filter`