M365 Entra ID Risk Detection Signal
editM365 Entra ID Risk Detection Signal
editIdentifies Microsoft Entra ID (formerly Azure AD) risk detection signals including risky sign-ins, compromised credentials, impossible travel, and other identity-based anomalies. These events indicate potential credential compromise, account takeover attempts, or suspicious authentication patterns detected by Microsoft’s identity protection. This building block rule generates security events for correlation, threat hunting, and telemetry collection to support detection of credential access and initial access attempts.
Rule type: query
Rule indices:
- logs-o365.audit-*
- filebeat-*
Severity: low
Risk score: 21
Runs every: 5m
Searches indices from: now-9m (Date Math format, see also Additional look-back time)
Maximum alerts per execution: 100
References:
Tags:
- Domain: Cloud
- Domain: SaaS
- Data Source: Microsoft 365
- Data Source: Microsoft 365 Audit Logs
- Data Source: Microsoft Entra ID
- Data Source: Microsoft Entra ID Protection
- Use Case: Threat Detection
- Use Case: Identity Threat Detection
- Tactic: Credential Access
- Tactic: Initial Access
- Rule Type: BBR
Version: 1
Rule authors:
- Elastic
Rule license: Elastic License v2
Setup
editAdditional notes
For information on troubleshooting the maximum alerts warning please refer to this guide.
Rule query
editevent.dataset:o365.audit and event.code:AadRiskDetection
Framework: MITRE ATT&CKTM
-
Tactic:
- Name: Credential Access
- ID: TA0006
- Reference URL: https://attack.mitre.org/tactics/TA0006/
-
Technique:
- Name: Brute Force
- ID: T1110
- Reference URL: https://attack.mitre.org/techniques/T1110/
-
Tactic:
- Name: Initial Access
- ID: TA0001
- Reference URL: https://attack.mitre.org/tactics/TA0001/
-
Technique:
- Name: Valid Accounts
- ID: T1078
- Reference URL: https://attack.mitre.org/techniques/T1078/
-
Sub-technique:
- Name: Cloud Accounts
- ID: T1078.004
- Reference URL: https://attack.mitre.org/techniques/T1078/004/