Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Sigma rule (View on GitHub)
1title: Azure AD Threat Intelligence
2id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
3status: test
4description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
5references:
6 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
7 - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
8 - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
9author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
10date: 2023-09-07
11tags:
12 - attack.t1078
13 - attack.persistence
14 - attack.defense-evasion
15 - attack.privilege-escalation
16 - attack.initial-access
17logsource:
18 product: azure
19 service: riskdetection
20detection:
21 selection:
22 riskEventType: 'investigationsThreatIntelligence'
23 condition: selection
24falsepositives:
25 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
26level: high
References
-
-
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Account Tampering - Suspicious Failed Logon Reasons
- Activity From Anonymous IP Address
- Application Using Device Code Authentication Flow
- Applications That Are Using ROPC Authentication Flow
- Atypical Travel