🚀Launch Week 04, May 13th - 17th, 2024!🚀
Powerpipe Hub 
Hub
Mods
turbot/microsoft365_compliance
Overview
4Dashboards
80Controls
21Queries
2Variables
GitHub
Loading controls...

Control: 5.2.6.1 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Description

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:

  • successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
  • signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
  • successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

Remediation

To review the Azure AD 'Risky sign-ins' report:

  1. Navigate to the Microsoft Entra admin center https://entra.microsoft.com.
  2. Click expand Protection select Risky activities.
  3. Under Report click on Risky sign-ins.
  4. Review by Risk level (aggregate).

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v300_5_2_6_1

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_6_1 --share

SQL

This control uses a named query:

azuread_risky_sign_ins_report

Tags

category = Compliance
cis = true
cis_item_id = 5.2.6.1
cis_level = 1
cis_section_id = 5.2.6
cis_type = manual
cis_version = v3.0.0
microsoft_365_license = E5
plugin = microsoft365
service = Azure/ActiveDirectory