Microsoft Entra ID High Risk Sign-in

 1[metadata]
 2creation_date = "2021/01/04"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/05/21"
 6
 7[rule]
 8author = ["Elastic", "Willem D'Haese"]
 9description = """
10Identifies high risk Microsoft Entra ID sign-ins by leveraging Microsoft's Identity Protection machine learning
11and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not
12provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is
13compromised.
14"""
15from = "now-9m"
16index = ["filebeat-*", "logs-azure.signinlogs*"]
17language = "kuery"
18license = "Elastic License v2"
19name = "Microsoft Entra ID High Risk Sign-in"
20note = """## Triage and analysis
21
22### Investigating Microsoft Entra ID High Risk Sign-in
23
24This rule detects high-risk sign-ins in Microsoft Entra ID as identified by Identity Protection. These sign-ins are flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of compromise based on Microsoft’s machine learning and heuristics. This alert is valuable for identifying accounts under active attack or compromise using valid credentials.
25
26### Possible investigation steps
27
28- Review the `azure.signinlogs.properties.user_id` and associated identity fields to determine the impacted user.
29- Inspect the `risk_level_during_signin` field and confirm it is set to `high`. If `risk_level_aggregated` is also present and high, this suggests sustained risk across multiple sign-ins.
30- Check `source.ip`, `source.geo.country_name`, and `source.as.organization.name` to evaluate the origin of the sign-in attempt. Flag unexpected geolocations or ASNs (e.g., anonymizers or residential ISPs).
31- Review the `device_detail` fields such as `operating_system` and `browser` for new or unrecognized devices.
32- Validate the `client_app_used` (e.g., legacy protocols, desktop clients) and `app_display_name` (e.g., Office 365 Exchange Online) to assess if risky legacy methods were involved.
33- Examine `applied_conditional_access_policies` to verify if MFA or blocking policies were triggered or bypassed.
34- Check `authentication_details.authentication_method` to see if multi-factor authentication was satisfied (e.g., "Mobile app notification").
35- Correlate this activity with other alerts or sign-ins from the same account within the last 24–48 hours.
36- Contact the user to confirm if the sign-in was expected. If not, treat the account as compromised and proceed with containment.
37
38### False positive analysis
39
40- Risky sign-ins may be triggered during legitimate travel, VPN use, or remote work scenarios from unusual locations.
41- In some cases, users switching devices or networks rapidly may trigger high-risk scores.
42- Automated scanners or penetration tests using known credentials may mimic high-risk login behavior.
43- Confirm whether the risk was remediated automatically by Microsoft Identity Protection before proceeding with escalations.
44
45### Response and remediation
46
47- If compromise is suspected, immediately disable the user account and revoke active sessions and tokens.
48- Initiate credential reset and ensure multi-factor authentication is enforced.
49- Review audit logs and sign-in history for the account to assess lateral movement or data access post sign-in.
50- Inspect activity on services such as Exchange, SharePoint, or Azure resources to understand the impact.
51- Determine if the attacker leveraged other accounts or escalated privileges.
52- Use the incident findings to refine conditional access policies, such as enforcing MFA for high-risk sign-ins or blocking legacy protocols.
53- Review and tighten policies that allow sign-ins from high-risk geographies or unknown devices.
54"""
55references = [
56    "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
57    "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
58    "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk",
59]
60risk_score = 73
61rule_id = "37994bca-0611-4500-ab67-5588afe73b77"
62severity = "high"
63tags = [
64    "Domain: Cloud",
65    "Data Source: Azure",
66    "Data Source: Microsoft Entra ID",
67    "Data Source: Microsoft Entra ID Sign-in Logs",
68    "Use Case: Identity and Access Audit",
69    "Resources: Investigation Guide",
70    "Tactic: Initial Access",
71]
72timestamp_override = "event.ingested"
73type = "query"
74
75query = '''
76event.dataset:azure.signinlogs and
77  (
78    azure.signinlogs.properties.risk_level_during_signin:high or
79    azure.signinlogs.properties.risk_level_aggregated:high
80  )
81'''
82
83
84[[rule.threat]]
85framework = "MITRE ATT&CK"
86[[rule.threat.technique]]
87id = "T1078"
88name = "Valid Accounts"
89reference = "https://attack.mitre.org/techniques/T1078/"
90
91
92[rule.threat.tactic]
93id = "TA0001"
94name = "Initial Access"
95reference = "https://attack.mitre.org/tactics/TA0001/"