Microsoft Secure Tech Accelerator
Apr 03 2024, 07:00 AM - 11:00 AM (PDT)
Microsoft Tech Community

User Risk from AAD Identity Protection

Brass Contributor

We have AAD Identity Protection logs connected to Azure Sentinel and I can see sign in risk events.  I'm having trouble finding users who are flagged for risk.  I've created some queries and dashboards that show multiple sign in risk events to try to mimic what Azure would do when it upgrades a user risk from medium to high due to multiple medium events.

 

However, I would like to create an alert rule, which can only use the last 24 hours as a period.  So I would like to create a case when Azure AD Identity Protection upgrades a user's risk to high.  The ultimate goal is to automate password resets of all users flagged as high risk.

3 Replies

@andrew_bryant 

 

We are planning to enable longer period querying in an alert rule which would be the simplest way to achieve what you want. Stay tuned.

 

~ Ofer

@Ofer_Shezaf 

 

Hi Ofer,

 

I've been thinking that the alert rules would be more useful if we could go back farther than 24 hours, so that is good to hear.  However, I have a few concerns:

 

1. Since the factors Microsoft uses to determine when a user is high risk are not published, we might be able to make an exact 1 to 1 rule, meaning some users might be high risk and not picked up by this rule.  We have a user risk policy that blocks the user.  My goal with this rule is to apply a playbook that will reset the users password and dismiss the risk events so that our analysts don't have to spend time on this alert, the user can just use SSPR and log back in.

2. I have noticed some events in Azure AD Identity Protection where the "Real-time" sign in risk is medium, but the "aggregate risk" gets updated to high.  In the SecurityAlert table, these show up as medium.  I'd like to be able to take advantage of whatever AAD ID protection uses to make that determination in Sentinel.

3. This one is not completely related to Sentinel, more Azure, but we cannot dismiss risk events through Powershell.  so even if we automate the password reset, we will still need to manually dismiss the risk events to unblock the user.  I'd like to either see the ability to do this with powershell or a connector between Sentinel and Azure that allows us to do this as part of a playbook.

 

 

Along the same lines as the original question, I'm also having trouble finding activity logs from MCAS in sentinel, I can only find alerts that are sent from MCAS.  Any idea where to look?