Entra ID Protection Detects User Risk
Entra ID Protection detects user risk activity such as anonymized IP addresses, unlikely travel, password spray, and other suspicious behaviors indicating potential initial access attempts and compromised accounts within cloud environments.
Microsoft's Entra ID Protection service is a tool for identifying and mitigating identity-based risks in cloud environments. It detects suspicious user activities like access from anonymized IP addresses (VPNs, Tor), geographically improbable travel, and password spraying attacks. These detections are crucial because they can indicate compromised user accounts or malicious actors attempting initial access. The detections are based on real-time and offline analysis of user behavior and authentication patterns. The alerts generated by Entra ID Protection, triggered by events logged as User Risk Detection or Risky user activities, allow security teams to promptly investigate and respond to potential threats. This capability is essential for maintaining the security posture of organizations heavily reliant on cloud services and identity management.
Attack Chain
- Initial Access: An attacker attempts to gain initial access to a user account, potentially through methods like password spraying (T1110.003).
- Anonymization: The attacker uses an anonymizing service such as a VPN or Tor to mask their IP address and location.
- Authentication Attempt: The attacker attempts to authenticate to Entra ID with the compromised or brute-forced credentials.
- Risk Detection: Entra ID Protection detects the risky sign-in attempt based on factors like anonymized IP, impossible travel, or password spray activity.
- Alert Trigger: An "User Risk Detection" or "Risky user" event is logged, triggering the detection rule.
- Severity Assessment: Entra ID Protection assigns a risk level (high, medium, or low) to the detected activity.
- Investigation & Remediation: Security analysts investigate the alert, assess the risk, and take appropriate remediation steps, such as resetting the user's password or revoking access tokens.
Impact
A successful attack following the described chain can lead to unauthorized access to sensitive cloud resources, data breaches, and further lateral movement within the organization's cloud infrastructure. Undetected compromised accounts can be used to perform data exfiltration, launch further attacks, or disrupt business operations. A recent report highlights a Russia-affiliated actor, VOID BLIZZARD, targeting critical sectors for espionage, showing the real-world impact of such attacks. The number of affected users depends on the scope of the initial compromise and the attacker's ability to move laterally.
Recommendation
- Deploy the provided Sigma rules to your SIEM to detect suspicious Entra ID user risk detections (see rules section).
- Review and tune the rule's false positives, specifically around VPN usage and travel patterns, by adding exceptions for specific users or IP ranges as described in the rule's
false_positivessection. - Configure Entra ID sign-in risk policies to automatically respond to risk events, such as requiring MFA or blocking sign-ins from risky locations, based on the
azure.identityprotection.properties.risk_levelattribute. - Ensure that Microsoft Entra ID Protection logs are being collected and streamed into the Elastic Stack via the Azure integration, as outlined in the rule's
setupsection. - Investigate user accounts associated with high-risk detections, focusing on events correlated via the
azure.correlation_idfield in Entra ID audit or sign-in logs.
Detection coverage 3
Entra ID Protection - High Risk User Detection
highDetects high-risk user detections reported by Entra ID Protection, indicating a potentially compromised account.
Entra ID Protection - Unremediated Risky User
mediumDetects risky user events that have not been remediated (dismissed, remediated, or confirmedSafe) in Entra ID Protection.
Entra ID Protection - Anonymized IP Address User Risk
mediumDetects user risk events triggered by sign-ins from anonymized IP addresses (e.g., VPN, Tor) as reported by Entra ID Protection.
Detection queries are available on the platform. Get full rules →