{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/tags/high_risk_signin/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Entra ID"],"_cs_severities":["high"],"_cs_tags":["azure","entra_id","initial_access","high_risk_signin"],"_cs_type":"advisory","_cs_vendors":["Microsoft"],"content_html":"\u003cp\u003eThis detection identifies potentially compromised user accounts through the detection of high-risk sign-ins within Microsoft Entra ID. Microsoft's Identity Protection uses machine learning and heuristics to categorize sign-in risk levels as low, medium, or high. A \u0026quot;high\u0026quot; risk level suggests a significant probability of account compromise. This detection focuses on sign-ins flagged as \u0026quot;high\u0026quot; risk during the authentication process, indicating active attacks or compromise attempts using valid credentials. The rule leverages Azure sign-in logs and triggers when the \u003ccode\u003erisk_level_during_signin\u003c/code\u003e or \u003ccode\u003erisk_level_aggregated\u003c/code\u003e properties are set to \u003ccode\u003ehigh\u003c/code\u003e. The detection logic was last updated on 2026-04-10.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker gains initial access using compromised credentials (T1078).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts to authenticate to Entra ID.\u003c/li\u003e\n\u003cli\u003eEntra ID Identity Protection evaluates the sign-in attempt, factoring in elements such as source IP, geolocation, device details, and authentication method.\u003c/li\u003e\n\u003cli\u003eThe sign-in is flagged as \u0026quot;high risk\u0026quot; by Identity Protection due to anomalous characteristics.\u003c/li\u003e\n\u003cli\u003eThe sign-in logs record the high-risk level in the \u003ccode\u003erisk_level_during_signin\u003c/code\u003e property.\u003c/li\u003e\n\u003cli\u003eThe detection rule triggers based on the high-risk sign-in event.\u003c/li\u003e\n\u003cli\u003ePost-authentication, the attacker potentially gains access to cloud resources and applications (T1078.004).\u003c/li\u003e\n\u003cli\u003eThe attacker attempts lateral movement or data exfiltration.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eA successful attack could lead to unauthorized access to sensitive data, resources, and applications within the organization's cloud environment. The number of affected users and the scope of the damage depend on the permissions and roles assigned to the compromised account. Organizations in any sector relying on Entra ID for authentication are potentially at risk. Failure to detect and remediate high-risk sign-ins can result in significant data breaches, financial losses, and reputational damage.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the provided Sigma rule to your SIEM to detect high-risk Entra ID sign-ins based on the \u003ccode\u003eazure.signinlogs.properties.risk_level_during_signin\u003c/code\u003e and \u003ccode\u003eazure.signinlogs.properties.risk_level_aggregated\u003c/code\u003e fields.\u003c/li\u003e\n\u003cli\u003eInvestigate triggered alerts by reviewing the \u003ccode\u003esource.ip\u003c/code\u003e, \u003ccode\u003esource.geo.country_name\u003c/code\u003e, \u003ccode\u003edevice_detail\u003c/code\u003e, and \u003ccode\u003eclient_app_used\u003c/code\u003e fields in the Azure sign-in logs.\u003c/li\u003e\n\u003cli\u003eIf a compromise is suspected, immediately disable the user account and enforce a password reset with multi-factor authentication.\u003c/li\u003e\n\u003cli\u003eReview and refine conditional access policies to enforce MFA for high-risk sign-ins and block legacy authentication protocols, referencing the information on conditional access policies in the references.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T10:00:00Z","date_published":"2024-01-03T10:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-high-risk-signin/","summary":"This rule detects high-risk sign-ins in Microsoft Entra ID, as identified by Identity Protection, where the sign-in is flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of account compromise.","title":"Entra ID High Risk Sign-in Detected","url":"https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-high-risk-signin/"}],"language":"en","title":"CraftedSignal Threat Feed - High_risk_signin","version":"https://jsonfeed.org/version/1.1"}