Azure and GCP Perimeter Security, CIS Updates, and Enhanced Plugins →
Powerpipe Hub 
Hub
Mods
turbot/steampipe-mod-microsoft365-compliance
Overview
5Dashboards
96Benchmarks
21Queries
2Variables
GitHub

Control: 5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Description

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have: -successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords -signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) -successful signins from users where two signins appeared to originate from different regions and the time between signins makes it impossible for the user to have traveled between those regions

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

Remediation

To review the report, perform the following steps using the Azure Portal:

  1. Go to portal.azure.com.
  2. Click Azure Active Directory.
  3. Under Manage click on Security.
  4. Under Report click on Risky sign-ins.
  5. Review by Risk level (aggregate).

To get risky sign-ins event report programmatically, use following graph API:

https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTimegt < 7 days older datetime > and riskEventStatus eq 'active'

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v140_5_3

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v140_5_3 --share

SQL

This control uses a named query:

with risky_sign_ins_report as (
  select
    id,
    tenant_id,
    _ctx,
    risk_level_aggregated
  from
    azuread_sign_in_report
  where
    risk_level_aggregated = 'high'
    and created_date_time::timestamp >= (current_date - interval '7' day)
)
select
  tenant_id as resource,
  'info' as status,
  case
    when count(*) < 1 then tenant_id || ' has no risky sign-ins reported in last week.'
    else tenant_id || ' has ' || count(*) || ' risky sign-ins reported in last week.'
  end as reason
  , tenant_id as tenant_id
from
  risky_sign_ins_report
group by
  tenant_id,
  _ctx;

Tags

category = Compliance
cis = true
cis_item_id = 5.3
cis_level = 1
cis_section_id = 5
cis_type = automated
cis_version = v1.4.0
microsoft_365_license = E3
plugin = microsoft365
service = Azure/ActiveDirectory