Control: 5.2.6.1 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly
Description
This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:
- successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
- signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
- successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions
Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.
Remediation
To review the Azure AD 'Risky sign-ins' report:
- Navigate to the
Microsoft Entra admin centerhttps://entra.microsoft.com. - Click expand
ProtectionselectRisky activities. - Under
Reportclick onRisky sign-ins. - Review by
Risk level (aggregate).
Usage
Run the control in your terminal:
powerpipe control run microsoft365_compliance.control.cis_v300_5_2_6_1Snapshot and share results via Turbot Pipes:
powerpipe loginpowerpipe control run microsoft365_compliance.control.cis_v300_5_2_6_1 --shareSQL
This control uses a named query:
with risky_sign_ins_report as ( select id, tenant_id, _ctx, risk_level_aggregated from azuread_sign_in_report where risk_level_aggregated = 'high' and created_date_time::timestamp >= (current_date - interval '7' day))select tenant_id as resource, 'info' as status, case when count(*) < 1 then tenant_id || ' has no risky sign-ins reported in last week.' else tenant_id || ' has ' || count(*) || ' risky sign-ins reported in last week.' end as reason , tenant_id as tenant_idfrom risky_sign_ins_reportgroup by tenant_id, _ctx;