We started recieving this alert with high severity from provider Azure Identity Protection (IPC) yet there is no documentation available about this alerts so our customers are asking us well... basically what the heck is this high severity alert. Can you please provide information about this.
Here's extract of one of the alerts with some hidden values:
"azureSubscriptionId": null,
"riskScore": null,
"tags": [],
"activityGroupName": null,
"assignedTo": null,
"category": "RiskScore",
"closedDateTime": null,
"comments": [],
"confidence": null,
"createdDateTime": "2019-06-28T03:18:40Z",
"description": "The risk score of the user was updated",
"detectionIds": [],
"eventDateTime": "2019-06-28T03:18:40Z",
"feedback": null,
"lastModifiedDateTime": "2019-06-29T20:56:53.9713689Z",
"recommendedActions": [],
"severity": "high",
"sourceMaterials": [],
"status": "newAlert",
"title": "RiskScore",
"vendorInformation": {
"provider": "IPC",
"providerVersion": "3.0",
"subProvider": null,
"vendor": "Microsoft"
},
"cloudAppStates": [],
"fileStates": [],
"hostStates": [],
"historyStates": [],
"malwareStates": [],
"networkConnections": [],
"processes": [],
"registryKeyStates": [],
"triggers": [],
"userStates": [
{
"aadUserId": "hidden",
"accountName": "hidden",
"domainName": null,
"emailRole": "unknown",
"isVpn": null,
"logonDateTime": null,
"logonId": null,
"logonIp": null,
"logonLocation": null,
"logonType": null,
"onPremisesSecurityIdentifier": null,
"riskScore": "0",
"userAccountType": null,
"userPrincipalName": "hidden"
}
],
"vulnerabilityStates": []
