LoFP / details for the risk calculation algorithm used by identity protection are unknown and may be prone to false positives.

Techniques

• T1110
• T1110.003
• T1586
• T1586.003

Sample rules

Azure Active Directory High Risk Sign-in

• source: splunk
• technicques:
  • T1586
  • T1586.003
  • T1110
  • T1110.003

Description

The following analytic triggers on a high risk sign-in against Azure Active Directory identified by Azure Identity Protection. Identity Protection monitors sign-in events using heuristics and machine learning to identify potentially malicious events and categorizes them in three categories high, medium and low.

Detection logic

 `azure_monitor_aad` category=UserRiskEvents properties.riskLevel=high 
| rename properties.* as * 
| stats count min(_time) as firstTime max(_time) as lastTime values(user) as user by src_ip, activity, riskLevel, riskEventType, additionalInfo 
| `security_content_ctime(firstTime)` 
| `security_content_ctime(lastTime)` 
| `azure_active_directory_high_risk_sign_in_filter`