Skip to content

Commit eb1aa51

Browse files
janicerickettsjanicericketts
authored
Update security-operations-user-accounts.md
Add sigma rules
1 parent c755edb commit eb1aa51

File tree

1 file changed

+16
-16
lines changed

1 file changed

+16
-16
lines changed

articles/active-directory/architecture/security-operations-user-accounts.md

Lines changed: 16 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -181,22 +181,22 @@ As you design and operationalize a log monitoring and alerting strategy, conside
181181

182182
| What to monitor | Risk Level | Where | Filter/sub-filter | Notes |
183183
| - | - | - | - | - |
184-
| Leaked credentials user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
185-
| Microsoft Entra Threat Intelligence user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
186-
| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
187-
| Atypical travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
188-
| Anomalous Token| Varies| Microsoft Entra ID Risk Detection logs| UX: Anomalous Token <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
189-
| Malware linked IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
190-
| Suspicious browser sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
191-
| Unfamiliar sign-in properties sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
192-
| Malicious IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
193-
| Suspicious inbox manipulation rules sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
194-
| Password Spray sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
195-
| Impossible travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
196-
| New country/region sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
197-
| Activity from anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
198-
| Suspicious inbox forwarding sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
199-
| Microsoft Entra threat intelligence sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md) |
184+
| Leaked credentials user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Leaked credentials <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
185+
| Microsoft Entra Threat Intelligence user risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
186+
| Anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Anonymous IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)[Sigma rules]<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
187+
| Atypical travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Atypical travel <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
188+
| Anomalous Token| Varies| Microsoft Entra ID Risk Detection logs| UX: Anomalous Token <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
189+
| Malware linked IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malware linked IP address <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
190+
| Suspicious browser sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious browser <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
191+
| Unfamiliar sign-in properties sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Unfamiliar sign-in properties <br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
192+
| Malicious IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Malicious IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
193+
| Suspicious inbox manipulation rules sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox manipulation rules<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
194+
| Password Spray sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Password spray<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
195+
| Impossible travel sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Impossible travel<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
196+
| New country/region sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: New country/region<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
197+
| Activity from anonymous IP address sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Activity from Anonymous IP address<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
198+
| Suspicious inbox forwarding sign-in risk detection| Varies| Microsoft Entra ID Risk Detection logs| UX: Suspicious inbox forwarding<br><br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
199+
| Microsoft Entra threat intelligence sign-in risk detection| High| Microsoft Entra ID Risk Detection logs| UX: Microsoft Entra threat intelligence<br>API: See [riskDetection resource type - Microsoft Graph](/graph/api/resources/riskdetection)| See [What is risk? Microsoft Entra ID Protection](../identity-protection/concept-identity-protection-risks.md)<br>[Sigma rules](https://github.com/SigmaHQ/sigma/tree/master/rules/cloud/azure)|
200200

201201
For more information, visit [What is Identity Protection](../identity-protection/overview-identity-protection.md).
202202

0 commit comments

Comments
 (0)