Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
6Dashboards
126Benchmarks
36Queries
2Variables
GitHub

Control: 5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Description

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:

  • successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
  • signed in to your tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
  • successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

Remediation

To review the report, perform the following steps using the Azure Portal:

  1. Go to portal.azure.com.
  2. Click Azure Active Directory.
  3. Under Manage click on Security.
  4. Under Report click on Risky sign-ins.
  5. Review by Risk level (aggregate).

To get risky sign-ins event report programmatically, use following graph API:

https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTime gt < 7 days older datetime > and riskEventStatus eq 'active'

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v150_5_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v150_5_3 --share

SQL

This control uses a named query:

with risky_sign_ins_report as (
  select
    id,
    tenant_id,
    _ctx,
    risk_level_aggregated
  from
    azuread_sign_in_report
  where
    risk_level_aggregated = 'high'
    and created_date_time::timestamp >= (current_date - interval '7' day)
)
select
  tenant_id as resource,
  'info' as status,
  case
    when count(*) < 1 then tenant_id || ' has no risky sign-ins reported in last week.'
    else tenant_id || ' has ' || count(*) || ' risky sign-ins reported in last week.'
  end as reason
  , tenant_id as tenant_id
from
  risky_sign_ins_report
group by
  tenant_id,
  _ctx;

Tags

category = Compliance
cis = true
cis_item_id = 5.3
cis_level = 1
cis_section_id = 5
cis_type = manual
cis_version = v1.5.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory