Home

User Risk from AAD Identity Protection

%3CLINGO-SUB%20id%3D%22lingo-sub-389676%22%20slang%3D%22en-US%22%3EUser%20Risk%20from%20AAD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389676%22%20slang%3D%22en-US%22%3E%3CP%3EWe%20have%20AAD%20Identity%20Protection%20logs%20connected%20to%20Azure%20Sentinel%20and%20I%20can%20see%20sign%20in%20risk%20events.%26nbsp%3B%20I'm%20having%20trouble%20finding%20users%20who%20are%20flagged%20for%20risk.%26nbsp%3B%20I've%20created%20some%20queries%20and%20dashboards%20that%20show%20multiple%20sign%20in%20risk%20events%20to%20try%20to%20mimic%20what%20Azure%20would%20do%20when%20it%20upgrades%20a%20user%20risk%20from%20medium%20to%20high%20due%20to%20multiple%20medium%20events.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHowever%2C%20I%20would%20like%20to%20create%20an%20alert%20rule%2C%20which%20can%20only%20use%20the%20last%2024%20hours%20as%20a%20period.%26nbsp%3B%20So%20I%20would%20like%20to%20create%20a%20case%20when%20Azure%20AD%20Identity%20Protection%20upgrades%20a%20user's%20risk%20to%20high.%26nbsp%3B%20The%20ultimate%20goal%20is%20to%20automate%20password%20resets%20of%20all%20users%20flagged%20as%20high%20risk.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391846%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20from%20AAD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391846%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHi%20Ofer%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI've%20been%20thinking%20that%20the%20alert%20rules%20would%20be%20more%20useful%20if%20we%20could%20go%20back%20farther%20than%2024%20hours%2C%20so%20that%20is%20good%20to%20hear.%26nbsp%3B%20However%2C%20I%20have%20a%20few%20concerns%3A%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E1.%20Since%20the%20factors%20Microsoft%20uses%20to%20determine%20when%20a%20user%20is%20high%20risk%20are%20not%20published%2C%20we%20might%20be%20able%20to%20make%20an%20exact%201%20to%201%20rule%2C%20meaning%20some%20users%20might%20be%20high%20risk%20and%20not%20picked%20up%20by%20this%20rule.%26nbsp%3B%20We%20have%20a%20user%20risk%20policy%20that%20blocks%20the%20user.%26nbsp%3B%20My%20goal%20with%20this%20rule%20is%20to%20apply%20a%20playbook%20that%20will%20reset%20the%20users%20password%20and%20dismiss%20the%20risk%20events%20so%20that%20our%20analysts%20don't%20have%20to%20spend%20time%20on%20this%20alert%2C%20the%20user%20can%20just%20use%20SSPR%20and%20log%20back%20in.%3C%2FP%3E%3CP%3E2.%20I%20have%20noticed%20some%20events%20in%20Azure%20AD%20Identity%20Protection%20where%20the%20%22Real-time%22%20sign%20in%20risk%20is%20medium%2C%20but%20the%20%22aggregate%20risk%22%20gets%20updated%20to%20high.%26nbsp%3B%20In%20the%20SecurityAlert%20table%2C%20these%20show%20up%20as%20medium.%26nbsp%3B%20I'd%20like%20to%20be%20able%20to%20take%20advantage%20of%20whatever%20AAD%20ID%20protection%20uses%20to%20make%20that%20determination%20in%20Sentinel.%3C%2FP%3E%3CP%3E3.%20This%20one%20is%20not%20completely%20related%20to%20Sentinel%2C%20more%20Azure%2C%20but%20we%20cannot%20dismiss%20risk%20events%20through%20Powershell.%26nbsp%3B%20so%20even%20if%20we%20automate%20the%20password%20reset%2C%20we%20will%20still%20need%20to%20manually%20dismiss%20the%20risk%20events%20to%20unblock%20the%20user.%26nbsp%3B%20I'd%20like%20to%20either%20see%20the%20ability%20to%20do%20this%20with%20powershell%20or%20a%20connector%20between%20Sentinel%20and%20Azure%20that%20allows%20us%20to%20do%20this%20as%20part%20of%20a%20playbook.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlong%20the%20same%20lines%20as%20the%20original%20question%2C%20I'm%20also%20having%20trouble%20finding%20activity%20logs%20from%20MCAS%20in%20sentinel%2C%20I%20can%20only%20find%20alerts%20that%20are%20sent%20from%20MCAS.%26nbsp%3B%20Any%20idea%20where%20to%20look%3F%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-391374%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20from%20AAD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-391374%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3EWe%20are%20planning%20to%20enable%20longer%20period%20querying%20in%20an%20alert%20rule%20which%20would%20be%20the%20simplest%20way%20to%20achieve%20what%20you%20want.%20Stay%20tuned.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E~%20Ofer%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-389763%22%20slang%3D%22en-US%22%3ERe%3A%20User%20Risk%20from%20AAD%20Identity%20Protection%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-389763%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F306179%22%20target%3D%22_blank%22%3E%40andrew_bryant%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ECC%3A%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F293879%22%20target%3D%22_blank%22%3E%40Ofer_Shezaf%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E
andrew_bryant
Contributor

We have AAD Identity Protection logs connected to Azure Sentinel and I can see sign in risk events.  I'm having trouble finding users who are flagged for risk.  I've created some queries and dashboards that show multiple sign in risk events to try to mimic what Azure would do when it upgrades a user risk from medium to high due to multiple medium events.

 

However, I would like to create an alert rule, which can only use the last 24 hours as a period.  So I would like to create a case when Azure AD Identity Protection upgrades a user's risk to high.  The ultimate goal is to automate password resets of all users flagged as high risk.

3 Replies

@andrew_bryant 

 

We are planning to enable longer period querying in an alert rule which would be the simplest way to achieve what you want. Stay tuned.

 

~ Ofer

@Ofer_Shezaf 

 

Hi Ofer,

 

I've been thinking that the alert rules would be more useful if we could go back farther than 24 hours, so that is good to hear.  However, I have a few concerns:

 

1. Since the factors Microsoft uses to determine when a user is high risk are not published, we might be able to make an exact 1 to 1 rule, meaning some users might be high risk and not picked up by this rule.  We have a user risk policy that blocks the user.  My goal with this rule is to apply a playbook that will reset the users password and dismiss the risk events so that our analysts don't have to spend time on this alert, the user can just use SSPR and log back in.

2. I have noticed some events in Azure AD Identity Protection where the "Real-time" sign in risk is medium, but the "aggregate risk" gets updated to high.  In the SecurityAlert table, these show up as medium.  I'd like to be able to take advantage of whatever AAD ID protection uses to make that determination in Sentinel.

3. This one is not completely related to Sentinel, more Azure, but we cannot dismiss risk events through Powershell.  so even if we automate the password reset, we will still need to manually dismiss the risk events to unblock the user.  I'd like to either see the ability to do this with powershell or a connector between Sentinel and Azure that allows us to do this as part of a playbook.

 

 

Along the same lines as the original question, I'm also having trouble finding activity logs from MCAS in sentinel, I can only find alerts that are sent from MCAS.  Any idea where to look?

Related Conversations
Tabs and Dark Mode
cjc2112 in Discussions on
46 Replies
Extentions Synchronization
Deleted in Discussions on
3 Replies
Stable version of Edge insider browser
HotCakeX in Discussions on
35 Replies
How to Prevent Teams from Auto-Launch
chenrylee in Microsoft Teams on
30 Replies
flashing a white screen while open new tab
Deleted in Discussions on
14 Replies
Security Community Webinars
Valon_Kolica in Security, Privacy & Compliance on
13 Replies