Skip to content
Threat Feed
high advisory

Entra ID Protection Detects User Risk

Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and other suspicious behaviors indicating potential initial access attempts and compromised accounts within cloud environments.

Microsoft's Entra ID Protection service is a tool for identifying and mitigating identity-based risks in cloud environments. It detects suspicious user activities like access from anonymized IP addresses (VPNs, Tor), geographically improbable travel, and password spraying attacks. These detections are crucial because they can indicate compromised user accounts or malicious actors attempting initial access. The detections are based on real-time and offline analysis of user behavior and authentication patterns. The alerts generated by Entra ID Protection, triggered by events logged as User Risk Detection or Risky user activities, allow security teams to promptly investigate and respond to potential threats. This capability is essential for maintaining the security posture of organizations heavily reliant on cloud services and identity management.

Attack Chain

  1. Initial Access: An attacker attempts to gain initial access to a user account, potentially through methods like password spraying (T1110.003).
  2. Anonymization: The attacker uses an anonymizing service such as a VPN or Tor to mask their IP address and location.
  3. Authentication Attempt: The attacker attempts to authenticate to Entra ID with the compromised or brute-forced credentials.
  4. Risk Detection: Entra ID Protection detects the risky sign-in attempt based on factors like anonymized IP, impossible travel, or password spray activity.
  5. Alert Trigger: An "User Risk Detection" or "Risky user" event is logged, triggering the detection rule.
  6. Severity Assessment: Entra ID Protection assigns a risk level (high, medium, or low) to the detected activity.
  7. Investigation & Remediation: Security analysts investigate the alert, assess the risk, and take appropriate remediation steps, such as resetting the user's password or revoking access tokens.

Impact

A successful attack following the described chain can lead to unauthorized access to sensitive cloud resources, data breaches, and further lateral movement within the organization's cloud infrastructure. Undetected compromised accounts can be used to perform data exfiltration, launch further attacks, or disrupt business operations. A recent report highlights a Russia-affiliated actor, VOID BLIZZARD, targeting critical sectors for espionage, showing the real-world impact of such attacks. The number of affected users depends on the scope of the initial compromise and the attacker's ability to move laterally.

Recommendation

  • Deploy the provided Sigma rules to your SIEM to detect suspicious Entra ID user risk detections (see rules section).
  • Review and tune the rule's false positives, specifically around VPN usage and travel patterns, by adding exceptions for specific users or IP ranges as described in the rule's false_positives section.
  • Configure Entra ID sign-in risk policies to automatically respond to risk events, such as requiring MFA or blocking sign-ins from risky locations, based on the azure.identityprotection.properties.risk_level attribute.
  • Ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration, as outlined in the rule's setup section.
  • Investigate user accounts associated with high-risk detections, focusing on events correlated via the azure.correlation_id field in Entra ID audit or sign-in logs.

Detection coverage 3

Entra ID Protection - High Risk User Detection

high

Detects high-risk user detections reported by Entra ID Protection, indicating a potentially compromised account.

sigma tactics: initial_access techniques: T1078.004 sources: cloudtrail, azure, o365

Entra ID Protection - Unremediated Risky User

medium

Detects risky user events that have not been remediated (dismissed, remediated, or confirmedSafe) in Entra ID Protection.

sigma tactics: initial_access techniques: T1078.004 sources: cloudtrail, azure, o365

Entra ID Protection - Anonymized IP Address User Risk

medium

Detects user risk events triggered by sign-ins from anonymized IP addresses (e.g., VPN, Tor) as reported by Entra ID Protection.

sigma tactics: initial_access techniques: T1078.004 sources: cloudtrail, azure, o365

Detection queries are available on the platform. Get full rules →