Sign-ins from infected devices

%3CLINGO-SUB%20id%3D%22lingo-sub-110457%22%20slang%3D%22en-US%22%3ESign-ins%20from%20infected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-110457%22%20slang%3D%22en-US%22%3E%3CP%3EHi%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20receive%20daily%20a%20couple%20of%20entries%20in%20the%20%22Sign-ins%20from%20infected%20devices%22%20in%20Azure.%3C%2FP%3E%3CP%3EIs%20it%20possible%20to%20get%20more%20information%20about%20the%20device%20from%20where%20the%20user%20is%20signing%20in%3F%3C%2FP%3E%3CP%3ESome%20OS%2C%20MAC-address%2C%20Device%20type%20%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAt%20this%20moment%20I%20only%20see%20the%20following%3A%3C%2FP%3E%3CTABLE%3E%3CTBODY%3E%3CTR%3E%3CTD%3EObject%20ID%3C%2FTD%3E%3CTD%3EUPN%3C%2FTD%3E%3CTD%3EUser%3C%2FTD%3E%3CTD%3EIP%3C%2FTD%3E%3CTD%3ELocation%3C%2FTD%3E%3CTD%3ESign-in%20time%20(UTC)%3C%2FTD%3E%3CTD%3EMalware%20threat%20name%3C%2FTD%3E%3CTD%3ELast%20contacted%20time%20(UTC)%3C%2FTD%3E%3CTD%3EStatus%3C%2FTD%3E%3C%2FTR%3E%3C%2FTBODY%3E%3C%2FTABLE%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EIt%20should%20be%20very%20helpfull%20to%20get%20a%20little%20more%20information.%3C%2FP%3E%3CP%3EDoes%20someone%20know%20how%20I%20can%20get%20more%20info%20about%20the%20device%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ENote%3A%20I%20go%20to%20azure%20portal%20%26gt%3B%20AAD%20%26gt%3B%20Risky%20Sign-ins%20%26gt%3B%20Sign-ins%20from%20infected%20devices%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EKind%20regards%2C%3C%2FP%3E%3CP%3EAn%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-LABS%20id%3D%22lingo-labs-110457%22%20slang%3D%22en-US%22%3E%3CLINGO-LABEL%3ESign-ins%20from%20infected%20devices%3C%2FLINGO-LABEL%3E%3C%2FLINGO-LABS%3E%3CLINGO-SUB%20id%3D%22lingo-sub-291905%22%20slang%3D%22en-US%22%3ERe%3A%20Sign-ins%20from%20infected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-291905%22%20slang%3D%22en-US%22%3ELicense%20terms%20says%20you%20need%20a%20license%20for%20each%20user%20but%20in%20this%20particular%20case%20I%20would%20say%20it%20might%20be%20worth%20getting%20a%20P2%20license%20for%20the%20infected%20user(s)%20just%20to%20get%20more%20info.%20In%20case%20you%20do%20this%2C%20please%20post%20back%20here%20for%20others%20to%20see%20what%20kind%20of%20extended%20reporting%20you%20got.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-110478%22%20slang%3D%22en-US%22%3ERe%3A%20Sign-ins%20from%20infected%20devices%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-110478%22%20slang%3D%22en-US%22%3E%3CP%3EIf%20you%20have%20Azure%20AD%20Premium%20(P1%20or%20P2%20edition)%20or%20Enterprise%20Mobility%20%2B%20Security%20(EMS)%20more%20details%20are%20available.%20Just%20to%20confirm%20Microsoft's%20advice%2C%20in%20case%20you%20haven't%20seen%20it%20for%20this%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Factive-directory-reporting-risk-events%23sign-ins-from-infected-devices%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Eevent%3C%2FA%3E%20-%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22This%20risk%20event%20type%20identifies%20sign-ins%20from%20devices%20infected%20with%20malware%2C%20that%20are%20known%20to%20actively%20communicate%20with%20a%20bot%20server.%20This%20is%20determined%20by%20correlating%20IP%20addresses%20of%20the%20user%E2%80%99s%20device%20against%20IP%20addresses%20that%20were%20in%20contact%20with%20a%20bot%20server.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3E%22This%20risk%20event%20identifies%20IP%20addresses%2C%20not%20user%20devices.%20If%20several%20devices%20are%20behind%20a%20single%20IP%20address%2C%20and%20only%20some%20are%20controlled%20by%20a%20bot%20network%2C%20sign-ins%20from%20other%20devices%20my%20trigger%20this%20event%20unnecessarily%2C%20which%20is%20the%20reason%20for%20classifying%20this%20risk%20event%20as%20Low.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EWe%20recommend%20that%20you%20contact%20the%20user%20and%20scan%20all%20the%20user's%20devices.%20It%20is%20also%20possible%20that%20a%20user's%20personal%20device%20is%20infected%2C%20or%20as%20mentioned%20earlier%2C%20that%20someone%20else%20was%20using%20an%20infected%20device%20from%20the%20same%20IP%20address%20as%20the%20user.%20Infected%20devices%20are%20often%20infected%20by%20malware%20that%20have%20not%20yet%20been%20identified%20by%20anti-virus%20software%2C%20and%20may%20also%20indicate%20as%20bad%20user%20habits%20that%20may%20have%20caused%20the%20device%20to%20become%20infected.%22%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EGetting%20back%20to%20finding%20more%20details%2C%26nbsp%3B%20Azure%20AD%20Premium%20customers%20can%20get%20full%20access%20to%26nbsp%3B%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Factive-directory-reporting-activity-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ESign-in%20activity%20reports%3C%2FA%3E%3C%2FSTRONG%3E%20with%20information%20about%20the%20usage%20of%20managed%20applications%20and%20user%20sign-in%20activities.%26nbsp%3B%20Also%2C%20with%20the%20%3CSTRONG%3E%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Factive-directory-reporting-security-user-at-risk%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3EUsers%20flagged%20for%20risk%20security%3C%2FA%3E%2F%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-gb%2Fazure%2Factive-directory%2Factive-directory-reporting-security-risky-sign-ins%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3ERisky%20sign-ins%20reports%3C%2FA%3E%3C%2FSTRONG%3E%26nbsp%3Bthese%20customers%20(P1)%20get%26nbsp%3Bto%20examine%20some%20of%20the%20underlying%20risk%20events%20that%20have%20been%20detected%20for%20each%20report%2C%20with%20P2%20customers%20getting%26nbsp%3Bthe%20most%20detailed%20information%20about%20all%20underlying%20risk%20events%20and%20enables%20you%20to%20configure%20security%20policies%20that%20automatically%20respond%20to%20configured%20risk%20levels.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAnyway%2C%20that%20was%20my%20long%20way%20of%20saying%20that%20unless%20you%20have%20Azure%20AD%20Premium%20further%20details%20for%20some%20events%20may%20not%20be%20available.%3C%2FP%3E%3C%2FLINGO-BODY%3E
Deleted
Not applicable

Hi,

 

We receive daily a couple of entries in the "Sign-ins from infected devices" in Azure.

Is it possible to get more information about the device from where the user is signing in?

Some OS, MAC-address, Device type ?

 

At this moment I only see the following:

Object IDUPNUserIPLocationSign-in time (UTC)Malware threat nameLast contacted time (UTC)Status

 

It should be very helpfull to get a little more information.

Does someone know how I can get more info about the device?

 

Note: I go to azure portal > AAD > Risky Sign-ins > Sign-ins from infected devices

 

Kind regards,

An

2 Replies

If you have Azure AD Premium (P1 or P2 edition) or Enterprise Mobility + Security (EMS) more details are available. Just to confirm Microsoft's advice, in case you haven't seen it for this event -

 

"This risk event type identifies sign-ins from devices infected with malware, that are known to actively communicate with a bot server. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server."

 

"This risk event identifies IP addresses, not user devices. If several devices are behind a single IP address, and only some are controlled by a bot network, sign-ins from other devices my trigger this event unnecessarily, which is the reason for classifying this risk event as Low.

 

We recommend that you contact the user and scan all the user's devices. It is also possible that a user's personal device is infected, or as mentioned earlier, that someone else was using an infected device from the same IP address as the user. Infected devices are often infected by malware that have not yet been identified by anti-virus software, and may also indicate as bad user habits that may have caused the device to become infected."

 

Getting back to finding more details,  Azure AD Premium customers can get full access to Sign-in activity reports with information about the usage of managed applications and user sign-in activities.  Also, with the Users flagged for risk security/Risky sign-ins reports these customers (P1) get to examine some of the underlying risk events that have been detected for each report, with P2 customers getting the most detailed information about all underlying risk events and enables you to configure security policies that automatically respond to configured risk levels.

 

Anyway, that was my long way of saying that unless you have Azure AD Premium further details for some events may not be available.

License terms says you need a license for each user but in this particular case I would say it might be worth getting a P2 license for the infected user(s) just to get more info. In case you do this, please post back here for others to see what kind of extended reporting you got.