Loading controls...
Control: 5.2.6.1 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly
Description
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:
- successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
- signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
- successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions
Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.
Remediation
To review the Azure AD 'Risky sign-ins' report:
- Navigate to the
Microsoft Entra admin center
https://entra.microsoft.com. - Click expand
Protection
selectRisky activities.
- Under
Report
click onRisky sign-ins.
- Review by
Risk level (aggregate).
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_6_1
Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_5_2_6_1 --share
SQL
This control uses a named query:
azuread_risky_sign_ins_report