Skip to content

[Rule Tuning] Tuning Microsoft Entra ID High Risk Sign-in #4739

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 3 commits into from
May 28, 2025
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view

This file was deleted.

Original file line number Diff line number Diff line change
@@ -0,0 +1,96 @@
[metadata]
creation_date = "2021/01/04"
integration = ["azure"]
maturity = "production"
updated_date = "2025/05/21"

[rule]
author = ["Elastic", "Willem D'Haese"]
description = """
Identifies high risk Microsoft Entra ID sign-ins by leveraging Microsoft's Identity Protection machine learning
and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not
provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is
compromised.
"""
from = "now-9m"
index = ["filebeat-*", "logs-azure.signinlogs*"]
language = "kuery"
license = "Elastic License v2"
name = "Microsoft Entra ID High Risk Sign-in"
note = """## Triage and analysis

### Investigating Microsoft Entra ID High Risk Sign-in

This rule detects high-risk sign-ins in Microsoft Entra ID as identified by Identity Protection. These sign-ins are flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of compromise based on Microsoft’s machine learning and heuristics. This alert is valuable for identifying accounts under active attack or compromise using valid credentials.

### Possible investigation steps

- Review the `azure.signinlogs.properties.user_id` and associated identity fields to determine the impacted user.
- Inspect the `risk_level_during_signin` field and confirm it is set to `high`. If `risk_level_aggregated` is also present and high, this suggests sustained risk across multiple sign-ins.
- Check `source.ip`, `source.geo.country_name`, and `source.as.organization.name` to evaluate the origin of the sign-in attempt. Flag unexpected geolocations or ASNs (e.g., anonymizers or residential ISPs).
- Review the `device_detail` fields such as `operating_system` and `browser` for new or unrecognized devices.
- Validate the `client_app_used` (e.g., legacy protocols, desktop clients) and `app_display_name` (e.g., Office 365 Exchange Online) to assess if risky legacy methods were involved.
- Examine `applied_conditional_access_policies` to verify if MFA or blocking policies were triggered or bypassed.
- Check `authentication_details.authentication_method` to see if multi-factor authentication was satisfied (e.g., "Mobile app notification").
- Correlate this activity with other alerts or sign-ins from the same account within the last 24–48 hours.
- Contact the user to confirm if the sign-in was expected. If not, treat the account as compromised and proceed with containment.

### False positive analysis

- Risky sign-ins may be triggered during legitimate travel, VPN use, or remote work scenarios from unusual locations.
- In some cases, users switching devices or networks rapidly may trigger high-risk scores.
- Automated scanners or penetration tests using known credentials may mimic high-risk login behavior.
- Confirm whether the risk was remediated automatically by Microsoft Identity Protection before proceeding with escalations.

### Response and remediation

- If compromise is suspected, immediately disable the user account and revoke active sessions and tokens.
- Initiate credential reset and ensure multi-factor authentication is enforced.
- Review audit logs and sign-in history for the account to assess lateral movement or data access post sign-in.
- Inspect activity on services such as Exchange, SharePoint, or Azure resources to understand the impact.
- Determine if the attacker leveraged other accounts or escalated privileges.
- Use the incident findings to refine conditional access policies, such as enforcing MFA for high-risk sign-ins or blocking legacy protocols.
- Review and tighten policies that allow sign-ins from high-risk geographies or unknown devices.
"""
references = [
"https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection",
"https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk",
]
risk_score = 73
rule_id = "37994bca-0611-4500-ab67-5588afe73b77"
severity = "high"
tags = [
"Domain: Cloud",
"Data Source: Azure",
"Data Source: Microsoft Entra ID",
"Data Source: Microsoft Entra ID Sign-in Logs",
"Use Case: Identity and Access Audit",
"Resources: Investigation Guide",
"Tactic: Initial Access",
]
timestamp_override = "event.ingested"
type = "query"

query = '''
event.dataset:azure.signinlogs and
(
azure.signinlogs.properties.risk_level_during_signin:high or
azure.signinlogs.properties.risk_level_aggregated:high
)
'''


[[rule.threat]]
framework = "MITRE ATT&CK"
[[rule.threat.technique]]
id = "T1078"
name = "Valid Accounts"
reference = "https://attack.mitre.org/techniques/T1078/"


[rule.threat.tactic]
id = "TA0001"
name = "Initial Access"
reference = "https://attack.mitre.org/tactics/TA0001/"

Loading