<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>High_risk_signin - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/tags/high_risk_signin/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 10:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/tags/high_risk_signin/feed.xml" rel="self" type="application/rss+xml"/><item><title>Entra ID High Risk Sign-in Detected</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-high-risk-signin/</link><pubDate>Wed, 03 Jan 2024 10:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-entra-id-high-risk-signin/</guid><description>This rule detects high-risk sign-ins in Microsoft Entra ID, as identified by Identity Protection, where the sign-in is flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of account compromise.</description><content:encoded><![CDATA[<p>This detection identifies potentially compromised user accounts through the detection of high-risk sign-ins within Microsoft Entra ID. Microsoft's Identity Protection uses machine learning and heuristics to categorize sign-in risk levels as low, medium, or high. A &quot;high&quot; risk level suggests a significant probability of account compromise. This detection focuses on sign-ins flagged as &quot;high&quot; risk during the authentication process, indicating active attacks or compromise attempts using valid credentials. The rule leverages Azure sign-in logs and triggers when the <code>risk_level_during_signin</code> or <code>risk_level_aggregated</code> properties are set to <code>high</code>. The detection logic was last updated on 2026-04-10.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>An attacker gains initial access using compromised credentials (T1078).</li>
<li>The attacker attempts to authenticate to Entra ID.</li>
<li>Entra ID Identity Protection evaluates the sign-in attempt, factoring in elements such as source IP, geolocation, device details, and authentication method.</li>
<li>The sign-in is flagged as &quot;high risk&quot; by Identity Protection due to anomalous characteristics.</li>
<li>The sign-in logs record the high-risk level in the <code>risk_level_during_signin</code> property.</li>
<li>The detection rule triggers based on the high-risk sign-in event.</li>
<li>Post-authentication, the attacker potentially gains access to cloud resources and applications (T1078.004).</li>
<li>The attacker attempts lateral movement or data exfiltration.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>A successful attack could lead to unauthorized access to sensitive data, resources, and applications within the organization's cloud environment. The number of affected users and the scope of the damage depend on the permissions and roles assigned to the compromised account. Organizations in any sector relying on Entra ID for authentication are potentially at risk. Failure to detect and remediate high-risk sign-ins can result in significant data breaches, financial losses, and reputational damage.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the provided Sigma rule to your SIEM to detect high-risk Entra ID sign-ins based on the <code>azure.signinlogs.properties.risk_level_during_signin</code> and <code>azure.signinlogs.properties.risk_level_aggregated</code> fields.</li>
<li>Investigate triggered alerts by reviewing the <code>source.ip</code>, <code>source.geo.country_name</code>, <code>device_detail</code>, and <code>client_app_used</code> fields in the Azure sign-in logs.</li>
<li>If a compromise is suspected, immediately disable the user account and enforce a password reset with multi-factor authentication.</li>
<li>Review and refine conditional access policies to enforce MFA for high-risk sign-ins and block legacy authentication protocols, referencing the information on conditional access policies in the references.</li>
</ul>
]]></content:encoded><category domain="severity">high</category><category domain="type">advisory</category><category>azure</category><category>entra_id</category><category>initial_access</category><category>high_risk_signin</category></item></channel></rss>