Azure AD Threat Intelligence

Original Source: [Sigma source]

Title: Azure AD Threat Intelligence
Status: test
Description:Indicates user activity that is unusual for the user or consistent with known attack patterns.
References:
-https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-sign-in
-https://learn.microsoft.com/en-us/entra/id-protection/concept-identity-protection-risks#azure-ad-threat-intelligence-user
-https://learn.microsoft.com/en-us/entra/architecture/security-operations-user-accounts#unusual-sign-ins
Author: Mark Morowczynski '@markmorow', Gloria Lee, '@gleeiamglo'
Date: 2023-09-07
modified:None
Tags:

-'attack.stealth'
-'attack.t1078'
-'attack.persistence'
-'attack.privilege-escalation'
-'attack.initial-access'

Logsource:

product: azure
service: riskdetection

Detection:
selection:
riskEventType: 'investigationsThreatIntelligence'
condition:selection
Falsepositives:
-We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
Level: high

Sign Up to Personalize and Manage Your Detection

Azure AD Threat Intelligence