Multiple Entra ID Protection Alerts Indicate Potential Account Compromise
Multiple Microsoft Entra ID Protection alerts associated with a single user in a short timeframe may indicate an ongoing attack or compromised account, stemming from suspicious sign-in activity such as anomalous IP addresses or risky sign-ins.
This rule identifies instances where a user principal triggers more than two Microsoft Entra ID Protection alerts within a 10-minute window. These alerts, generated by Azure Identity Protection, flag suspicious sign-in attempts, including logins from unusual IP addresses, locations, or devices, as well as other risk detections. While a single alert may represent a minor anomaly, a rapid succession of alerts tied to a single user account strongly suggests malicious activity, such as credential compromise or an active attack targeting that account. Detecting this pattern early allows security teams to swiftly investigate and contain potential breaches, preventing further damage. This detection is critical for organizations relying on Microsoft Entra ID for identity and access management.
Attack Chain
- The attacker gains initial access to a valid user account, possibly through credential phishing or password spraying (T1078.004).
- The compromised account attempts to log in from an anomalous IP address, triggering an Entra ID Protection alert.
- The attacker attempts to sign in from a risky location, possibly through a VPN or proxy, generating another Entra ID Protection alert.
- The attacker uses a previously unknown device to access resources, triggering a third Entra ID Protection alert.
- These multiple alerts within a short timeframe trigger the detection rule.
- The attacker attempts to access sensitive cloud resources, leveraging the compromised account.
- The attacker may attempt to escalate privileges within the cloud environment to gain wider access.
- The attacker establishes persistence by creating new credentials or modifying existing account settings (T1078, TA0003).
Impact
A successful attack following multiple Entra ID Protection alerts could lead to unauthorized access to sensitive cloud resources, data breaches, and potential financial losses. Lateral movement within the cloud environment could compromise additional accounts and services. The impact is particularly severe for organizations that store critical data or run essential applications in Azure. Early detection and response are crucial to minimize damage and prevent further exploitation.
Recommendation
- Deploy the Sigma rule "Entra ID Protection Alerts for User Detected" to your SIEM to detect multiple alerts associated with the same user principal (see rule below).
- Investigate any triggered alerts, focusing on identifying the specific risk detections and validating the user's activity as described in the rule's note section.
- Enable multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise.
- Review and enforce Microsoft's security best practices for identity management in Azure, as outlined in the provided references.
- Adjust the timeframe and alert threshold in the Sigma rule to suit your organization's specific environment and risk tolerance.
Detection coverage 2
Entra ID Protection Alerts for User Detected
highDetects multiple Entra ID Protection alerts associated with a user principal within a short timeframe, indicating potential account compromise.
Entra ID Protection - Risky Sign-in Detected
mediumDetects a risky sign-in detected by Entra ID Protection based on sign-in logs.
Detection queries are available on the platform. Get full rules →