Name:Azure Active Directory High Risk Sign-in id:1ecff169-26d7-4161-9a7b-2ac4c8e61bea version:13 date:2026-04-28 author:Mauricio Velazco, Gowthamaraj Rajendran, Splunk status:production type:TTP Description:The following analytic detects high-risk sign-in attempts against Azure Active Directory, identified by Azure Identity Protection. It leverages the RiskyUsers and UserRiskEvents log categories from Azure AD events ingested via EventHub. This activity is significant as it indicates potentially compromised accounts, flagged by heuristics and machine learning. If confirmed malicious, attackers could gain unauthorized access to sensitive resources, leading to data breaches or further exploitation within the environment. Data_source:
how_to_implement:You must install the latest version of Splunk Add-on for Microsoft Cloud Services from Splunkbase (https://splunkbase.splunk.com/app/3110/#/details). You must be ingesting Azure Active Directory events into your Splunk environment through an EventHub. Specifically, this analytic leverages the RiskyUsers and UserRiskEvents log category in the azure:monitor:aad sourcetype. known_false_positives:Details for the risk calculation algorithm used by Identity Protection are unknown and may be prone to false positives. References: -https://attack.mitre.org/techniques/T1110/003/ -https://docs.microsoft.com/en-us/security/compass/incident-response-playbook-password-spray -https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/overview-identity-protection -https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks drilldown_searches: name:'View the detection results for - "$user$"' search:'%original_detection_search% | search user = "$user$"' earliest_offset:'$info_min_time$' latest_offset:'$info_max_time$' name:'View risk events for the last 7 days for - "$user$"' search:'| from datamodel Risk.All_Risk | search normalized_risk_object IN ("$user$") | stats count min(_time) as firstTime max(_time) as lastTime values(search_name) as "Search Name" values(risk_message) as "Risk Message" values(analyticstories) as "Analytic Stories" values(annotations._all) as "Annotations" values(annotations.mitre_attack.mitre_tactic) as "ATT&CK Tactics" by normalized_risk_object | `security_content_ctime(firstTime)` | `security_content_ctime(lastTime)`' earliest_offset:'7d' latest_offset:'0' tags: analytic_story: - 'Azure Active Directory Account Takeover' asset_type:Azure Active Directory mitre_attack_id: - 'T1110.003' - 'T1586.003' product: - 'Splunk Enterprise' - 'Splunk Enterprise Security' - 'Splunk Cloud' security_domain:identity
