Azure Active Directory risky sign-in
Set up the azure integration.
このページは日本語には対応しておりません。随時翻訳に取り組んでいます。翻訳に関してご質問やご意見ございましたら、お気軽にご連絡ください。
Goal
Detect whenever Azure Identity Protection categorizes an Azure Active Directory login as risky.
Strategy
Monitor Azure Active Directory sign in activity (@evt.name:"Sign-in activity") and generate a signal when Azure identifies the user as risky or compromised (@properties.riskState:"atRisk" OR "confirmedCompromised").
Triage and response
- Analyze the location (
@network.client.geoip.subdivision.name) of {{@usr.id}} to determine if they’re logging into from their usual location. - If log in activity is not legitimate, disable
{{@usr.id}} account. - Investigate any devices owned by
{{@usr.id}}.
Changelog
14 June 2022 - Updated rule query.
