Azure AD Threat Intelligence

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Sigma rule (View on GitHub)

 1title: Azure AD Threat Intelligence
 2id: a2cb56ff-4f46-437a-a0fa-ffa4d1303cba
 3status: test
 4description: Indicates user activity that is unusual for the user or consistent with known attack patterns.
 5references:
 6    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
 7    - https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
 8    - https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
 9author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
10date: 2023-09-07
11tags:
12    - attack.t1078
13    - attack.persistence
14    - attack.defense-evasion
15    - attack.privilege-escalation
16    - attack.initial-access
17logsource:
18    product: azure
19    service: riskdetection
20detection:
21    selection:
22        riskEventType: 'investigationsThreatIntelligence'
23    condition: selection
24falsepositives:
25    - We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
26level: high

References

Related rules

to-top