Azure AD Threat Intelligence
Indicates user activity that is unusual for the user or consistent with known attack patterns.
Sigma rule (View on GitHub)
1title: Azure AD Threat Intelligence
2id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
3status: experimental
4description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
5references:
6 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
7 - https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
8 - https://learn.microsoft.com/en-us/azure/active-directory/architecture/security-operations-user-accounts#unusual-sign-ins
9author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
10date: 2023/09/07
11tags:
12 - attack.t1078
13 - attack.persistence
14 - attack.defense_evasion
15 - attack.privilege_escalation
16 - attack.initial_access
17logsource:
18 product: azure
19 service: riskdetection
20detection:
21 selection:
22 riskEventType: 'investigationsThreatIntelligence'
23 condition: selection
24falsepositives:
25 - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
26level: high
References
-
-
-
Guidance to establish baselines and how to monitor and alert on potential security issues with user accounts.
Read More
Related rules
- Activity From Anonymous IP Address
- Atypical Travel
- New Country
- Suspicious Browser Activity
- Unfamiliar Sign-In Properties