Skip to content
Threat Feed
medium advisory

Entra ID High Risk User Sign-in Detection

This rule identifies high-risk Azure Active Directory (AD) sign-ins by leveraging Microsoft Identity Protection machine learning and heuristics, specifically focusing on events with a risk state of `confirmedCompromised` or `atRisk`, indicating potential initial access attempts.

This detection identifies potentially compromised user accounts within an Azure Active Directory (Azure AD) environment. It leverages Microsoft Identity Protection, a security tool within Azure AD that employs machine learning and heuristics to detect identity-based risks. The rule focuses on sign-in events flagged with a risk_state of either confirmedCompromised or atRisk. These states signify that Microsoft Identity Protection has identified a high probability of account compromise based on various factors such as unusual sign-in locations, unfamiliar devices, or patterns indicative of credential theft or misuse. The rule aims to alert security teams to potential initial access attempts using valid cloud accounts.

Attack Chain

  1. An attacker obtains valid credentials for an Azure AD user account through phishing, credential stuffing, or malware.
  2. The attacker attempts to sign in to Azure AD using the compromised credentials.
  3. Microsoft Identity Protection analyzes the sign-in attempt, considering factors such as IP address, geolocation, device information, and historical user behavior.
  4. Based on its analysis, Identity Protection determines the sign-in is high-risk and sets the risk_state to confirmedCompromised or atRisk.
  5. The sign-in event is logged, including the risk_state and other relevant details such as user identity, IP address, and application accessed.
  6. The attacker, if successful in signing in, may then attempt to access sensitive data, applications, or resources within the Azure AD environment.
  7. The attacker might also attempt to move laterally to other accounts or resources within the environment.

Impact

A successful attack could lead to unauthorized access to sensitive data, applications, and resources within the Azure AD environment. This could result in data breaches, financial loss, reputational damage, and disruption of business operations. The impact can vary depending on the level of access granted to the compromised account and the sensitivity of the data or resources accessed.

Recommendation

  • Deploy the Sigma rule Entra ID High Risk User Sign-in to your SIEM to identify potentially compromised accounts in your Azure AD environment and tune for your environment.
  • Investigate any alerts generated by the Entra ID High Risk User Sign-in rule, following the triage steps outlined in the rule's documentation.
  • Enable multi-factor authentication (MFA) for all users to mitigate the risk of credential compromise, referencing Microsoft's security best practices.
  • Monitor Azure AD sign-in logs for unusual activity, even for accounts not flagged as high-risk, using the log schema defined by Microsoft here.

Detection coverage 2

Entra ID High Risk User Sign-in

medium

Detects Azure AD sign-ins flagged as high-risk by Microsoft Identity Protection.

sigma tactics: initial_access techniques: T1078, T1078.004 sources: network_connection, azure

Entra ID Risky Sign-in from Unfamiliar Location

medium

Detects Azure AD sign-ins flagged as high-risk originating from unusual geographical locations.

sigma tactics: initial_access techniques: T1078, T1078.004 sources: network_connection, azure

Detection queries are available on the platform. Get full rules →