|
| 1 | +[metadata] |
| 2 | +creation_date = "2021/01/04" |
| 3 | +integration = ["azure"] |
| 4 | +maturity = "production" |
| 5 | +updated_date = "2025/05/21" |
| 6 | + |
| 7 | +[rule] |
| 8 | +author = ["Elastic", "Willem D'Haese"] |
| 9 | +description = """ |
| 10 | +Identifies high risk Microsoft Entra ID sign-ins by leveraging Microsoft's Identity Protection machine learning |
| 11 | +and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not |
| 12 | +provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is |
| 13 | +compromised. |
| 14 | +""" |
| 15 | +from = "now-9m" |
| 16 | +index = ["filebeat-*", "logs-azure.signinlogs*"] |
| 17 | +language = "kuery" |
| 18 | +license = "Elastic License v2" |
| 19 | +name = "Microsoft Entra ID High Risk Sign-in" |
| 20 | +note = """## Triage and analysis |
| 21 | +
|
| 22 | +### Investigating Microsoft Entra ID High Risk Sign-in |
| 23 | +
|
| 24 | +This rule detects high-risk sign-ins in Microsoft Entra ID as identified by Identity Protection. These sign-ins are flagged with a risk level of `high` during the authentication process, indicating a strong likelihood of compromise based on Microsoft’s machine learning and heuristics. This alert is valuable for identifying accounts under active attack or compromise using valid credentials. |
| 25 | +
|
| 26 | +### Possible investigation steps |
| 27 | +
|
| 28 | +- Review the `azure.signinlogs.properties.user_id` and associated identity fields to determine the impacted user. |
| 29 | +- Inspect the `risk_level_during_signin` field and confirm it is set to `high`. If `risk_level_aggregated` is also present and high, this suggests sustained risk across multiple sign-ins. |
| 30 | +- Check `source.ip`, `source.geo.country_name`, and `source.as.organization.name` to evaluate the origin of the sign-in attempt. Flag unexpected geolocations or ASNs (e.g., anonymizers or residential ISPs). |
| 31 | +- Review the `device_detail` fields such as `operating_system` and `browser` for new or unrecognized devices. |
| 32 | +- Validate the `client_app_used` (e.g., legacy protocols, desktop clients) and `app_display_name` (e.g., Office 365 Exchange Online) to assess if risky legacy methods were involved. |
| 33 | +- Examine `applied_conditional_access_policies` to verify if MFA or blocking policies were triggered or bypassed. |
| 34 | +- Check `authentication_details.authentication_method` to see if multi-factor authentication was satisfied (e.g., "Mobile app notification"). |
| 35 | +- Correlate this activity with other alerts or sign-ins from the same account within the last 24–48 hours. |
| 36 | +- Contact the user to confirm if the sign-in was expected. If not, treat the account as compromised and proceed with containment. |
| 37 | +
|
| 38 | +### False positive analysis |
| 39 | +
|
| 40 | +- Risky sign-ins may be triggered during legitimate travel, VPN use, or remote work scenarios from unusual locations. |
| 41 | +- In some cases, users switching devices or networks rapidly may trigger high-risk scores. |
| 42 | +- Automated scanners or penetration tests using known credentials may mimic high-risk login behavior. |
| 43 | +- Confirm whether the risk was remediated automatically by Microsoft Identity Protection before proceeding with escalations. |
| 44 | +
|
| 45 | +### Response and remediation |
| 46 | +
|
| 47 | +- If compromise is suspected, immediately disable the user account and revoke active sessions and tokens. |
| 48 | +- Initiate credential reset and ensure multi-factor authentication is enforced. |
| 49 | +- Review audit logs and sign-in history for the account to assess lateral movement or data access post sign-in. |
| 50 | +- Inspect activity on services such as Exchange, SharePoint, or Azure resources to understand the impact. |
| 51 | +- Determine if the attacker leveraged other accounts or escalated privileges. |
| 52 | +- Use the incident findings to refine conditional access policies, such as enforcing MFA for high-risk sign-ins or blocking legacy protocols. |
| 53 | +- Review and tighten policies that allow sign-ins from high-risk geographies or unknown devices. |
| 54 | +""" |
| 55 | +references = [ |
| 56 | + "https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-risk", |
| 57 | + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection", |
| 58 | + "https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk", |
| 59 | +] |
| 60 | +risk_score = 73 |
| 61 | +rule_id = "37994bca-0611-4500-ab67-5588afe73b77" |
| 62 | +severity = "high" |
| 63 | +tags = [ |
| 64 | + "Domain: Cloud", |
| 65 | + "Data Source: Azure", |
| 66 | + "Data Source: Microsoft Entra ID", |
| 67 | + "Data Source: Microsoft Entra ID Sign-in Logs", |
| 68 | + "Use Case: Identity and Access Audit", |
| 69 | + "Resources: Investigation Guide", |
| 70 | + "Tactic: Initial Access", |
| 71 | +] |
| 72 | +timestamp_override = "event.ingested" |
| 73 | +type = "query" |
| 74 | + |
| 75 | +query = ''' |
| 76 | +event.dataset:azure.signinlogs and |
| 77 | + ( |
| 78 | + azure.signinlogs.properties.risk_level_during_signin:high or |
| 79 | + azure.signinlogs.properties.risk_level_aggregated:high |
| 80 | + ) |
| 81 | +''' |
| 82 | + |
| 83 | + |
| 84 | +[[rule.threat]] |
| 85 | +framework = "MITRE ATT&CK" |
| 86 | +[[rule.threat.technique]] |
| 87 | +id = "T1078" |
| 88 | +name = "Valid Accounts" |
| 89 | +reference = "https://attack.mitre.org/techniques/T1078/" |
| 90 | + |
| 91 | + |
| 92 | +[rule.threat.tactic] |
| 93 | +id = "TA0001" |
| 94 | +name = "Initial Access" |
| 95 | +reference = "https://attack.mitre.org/tactics/TA0001/" |
| 96 | + |
0 commit comments