Loading controls...
Control: 5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly
Description
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:
- successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
- signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
- successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions
Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.
Remediation
To review the report, perform the following steps using the Azure Portal:
- Go to portal.azure.com.
- Click
Azure Active Directory
. - Under
Manage
click onSecurity
. - Under
Report
click onRisky sign-ins
. - Review by
Risk level (aggregate)
.
To get risky sign-ins event report programmatically, use following graph API:
https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTime gt < 7 days older datetime > and riskEventStatus eq 'active'
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v150_5_3
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v150_5_3 --share
SQL
This control uses a named query:
azuread_risky_sign_ins_report