Skip to content

Latest commit

 

History

History
38 lines (31 loc) · 1.44 KB

MATCH-S00250.md

File metadata and controls

38 lines (31 loc) · 1.44 KB
Raw

Rules: Azure - Suspicious User Risk State Associated with Login

Description

Detects if a sign in has been flagged as "at risk" by Azure Active Directory.

Additional Details

Detail Value
Type Templated Match
Category Initial Access
Apply Risk to Entities device_hostname, device_ip, user_username, srcDevice_ip
Signal Name Azure - Suspicious User Risk State Associated with Sign On
Summary Expression Sign in by {{user_username}} has been flagged as at risk.
Score/Severity Static: 2
Enabled by Default True
Prototype False
Tags _mitreAttackTactic:TA0001, _mitreAttackTactic:TA0003, _mitreAttackTactic:TA0004, _mitreAttackTactic:TA0005, _mitreAttackTactic:TA0042, _mitreAttackTechnique:T1078, _mitreAttackTechnique:T1586, _mitreAttackTechnique:T1586.002, _mitreAttackTechnique:T1078.002, _mitreAttackTechnique:T1078.004

Vendors and Products

Fields Used

Origin Field
Normalized Schema device_hostname
Normalized Schema device_ip
Direct from Record fields['properties.riskState']
Direct from Record fields['riskState']
Normalized Schema metadata_product
Normalized Schema metadata_vendor
Normalized Schema objectType
Normalized Schema srcDevice_ip
Normalized Schema success
Normalized Schema user_username