Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft’s Identity Protection machine learning and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is compromised.
Rule type: query
Risk score: 73
Runs every: 5m
Maximum alerts per execution: 100
- Continuous Monitoring
- Identity and Access
- Willem D’Haese
Rule license: Elastic License v2
## Config The Azure Fleet integration, Filebeat module, or similarly structured data is required to be compatible with this rule.
event.dataset:azure.signinlogs and (azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and event.outcome:(success or Success)
Framework: MITRE ATT&CKTM