Microsoft Entra ID User Reported Suspicious Activity

 1[metadata]
 2creation_date = "2025/05/21"
 3integration = ["azure"]
 4maturity = "production"
 5updated_date = "2025/05/21"
 6
 7[rule]
 8author = ["Elastic", "Willem D'Haese"]
 9description = """
10Identifies suspicious activity reported by users in Microsoft Entra ID where users have reported suspicious activity related to their accounts, which may indicate potential compromise or unauthorized access attempts. Reported suspicious activity typically occurs during the authentication process and may involve various authentication methods, such as password resets, account recovery, or multi-factor authentication challenges. Adversaries may attempt to exploit user accounts by leveraging social engineering techniques or other methods to gain unauthorized access to sensitive information or resources.
11"""
12from = "now-9m"
13index = ["filebeat-*", "logs-azure.auditlogs-*"]
14language = "kuery"
15license = "Elastic License v2"
16name = "Microsoft Entra ID User Reported Suspicious Activity"
17note = """## Triage and Analysis
18
19### Investigating Microsoft Entra ID User Reported Suspicious Activity
20
21This rule detects when a user in Microsoft Entra ID reports suspicious activity associated with their account. This feature is often used to report MFA fatigue or unsolicited push notifications, and is logged during authentication flows involving methods like Microsoft Authenticator. Such events may indicate that an attacker attempted unauthorized access and triggered a push that was denied or flagged by the user.
22
23### Possible investigation steps
24
25- Review the `azure.auditlogs.identity` field to identify the reporting user.
26- Confirm that `event.action` is `"Suspicious activity reported"` and the result was `"success"`.
27- Check the `azure.auditlogs.properties.additional_details` array for `AuthenticationMethod`, which shows how the login attempt was performed (e.g., `PhoneAppNotification`).
28- Look at the `azure.auditlogs.properties.initiated_by.user.userPrincipalName` and `displayName` to confirm which user reported the suspicious activity.
29- Investigate recent sign-in activity (`signinlogs`) for the same user. Focus on:
30  - IP address geolocation and ASN.
31  - Device, operating system, and browser.
32  - MFA prompt patterns or unusual login attempts.
33- Determine whether the user actually initiated a login attempt, or if it was unexpected and aligns with MFA fatigue or phishing attempts.
34- Correlate this report with any risky sign-in detections, conditional access blocks, or password resets in the past 24–48 hours.
35
36### False positive analysis
37
38- Users unfamiliar with MFA push notifications may mistakenly report legitimate sign-in attempts.
39- Shared accounts or device switching can also trigger unintended notifications.
40- Legitimate travel or network changes might confuse users into thinking activity was malicious.
41
42### Response and remediation
43
44- Contact the user to validate the suspicious activity report and assess whether they were targeted or tricked by a malicious actor.
45- If the report is confirmed to be valid:
46  - Reset the user’s credentials immediately.
47  - Revoke active sessions and refresh tokens.
48  - Review their activity across Microsoft 365 services for signs of compromise.
49- If other users report similar behavior around the same time, assess for a broader MFA fatigue campaign or targeted phishing.
50- Consider tuning conditional access policies to require number matching or stronger MFA mechanisms.
51- Educate users on reporting suspicious MFA prompts and following up with IT/security teams promptly.
52"""
53references = [
54    "https://chris-brumm.medium.com/microsoft-entra-mfa-fraud-deep-dive-7764fd8f76ad",
55    "https://janbakker.tech/report-suspicious-activity-fraud-alert-for-azure-mfa/"
56]
57risk_score = 47
58rule_id = "caaa8b78-367c-11f0-beb8-f661ea17fbcd"
59severity = "medium"
60tags = [
61    "Domain: Cloud",
62    "Data Source: Azure",
63    "Data Source: Microsoft Entra ID",
64    "Data Source: Microsoft Entra ID Audit Logs",
65    "Use Case: Identity and Access Audit",
66    "Resources: Investigation Guide",
67    "Tactic: Initial Access",
68]
69timestamp_override = "event.ingested"
70type = "query"
71
72query = '''
73event.dataset: "azure.auditlogs"
74    and azure.auditlogs.operation_name: "Suspicious activity reported"
75    and azure.auditlogs.properties.additional_details.key: "AuthenticationMethod"
76    and azure.auditlogs.properties.target_resources.*.type: "User"
77    and event.outcome: "success"
78'''
79
80
81[[rule.threat]]
82framework = "MITRE ATT&CK"
83[[rule.threat.technique]]
84id = "T1078"
85name = "Valid Accounts"
86reference = "https://attack.mitre.org/techniques/T1078/"
87
88
89[rule.threat.tactic]
90id = "TA0001"
91name = "Initial Access"
92reference = "https://attack.mitre.org/tactics/TA0001/"