IMPORTANT: No additional bug fixes or documentation updates will be released for this version. For the latest information, see the current release documentation.
Elastic Docs Elastic Security Solution [8.2] Detections and alerts Prebuilt rule reference
« Azure Active Directory High Risk Sign-in Azure Active Directory PowerShell Sign-in »

Azure Active Directory High Risk User Sign-in Heuristicedit

Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics.

Rule type: query

Rule indices:

  • filebeat-*
  • logs-azure*

Severity: medium

Risk score: 47

Runs every: 5 minutes

Searches indices from: now-25m (Date Math format, see also Additional look-back time)

Maximum alerts per execution: 100

References:

Tags:

  • Elastic
  • Cloud
  • Azure
  • Continuous Monitoring
  • SecOps
  • Identity and Access

Version: 1

Added (Elastic Stack release): 8.0.0

Rule authors: Austin Songer

Rule license: Elastic License v2

Investigation guideedit

## Config

The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.

Rule queryedit

event.dataset:azure.signinlogs and
azure.signinlogs.properties.risk_state:("confirmedCompromised" or
"atRisk") and event.outcome:(success or Success)

Threat mappingedit

Framework: MITRE ATT&CKTM

« Azure Active Directory High Risk Sign-in Azure Active Directory PowerShell Sign-in »