Detectionhightest

Azure AD Threat Intelligence

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Thu Sep 07a2cb56ff-4f46-437a-a0fa-ffa4d1303cbacloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'investigationsThreatIntelligence'
    condition: selection

False Positives

We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

a2cb56ff-4f46-437a-a0fa-ffa4d1303cba

Status

test

Level

high

Type

Detection

Created

Thu Sep 07

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_threat_intel.yml

Raw Tags

attack.t1078attack.persistenceattack.defense-evasionattack.privilege-escalationattack.initial-access