turbot/steampipe-mod-microsoft365-compliance

Control: 5.4 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Description

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:

  • successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords
  • signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network)
  • successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

Remediation

To review the Azure AD 'Risky sign-ins' report:

  1. Navigate to Microsoft Entra admin center https://entra.microsoft.com/.
  2. Click to expand Protect & secure select Risky activities.
  3. Under Report click on Risky sign-ins.
  4. Review by Risk level (aggregate).

Usage

Run the control in your terminal:

powerpipe control run microsoft365_compliance.control.cis_v200_5_4

Snapshot and share results via Turbot Pipes:

powerpipe login
powerpipe control run microsoft365_compliance.control.cis_v200_5_4 --share

SQL

This control uses a named query:

with risky_sign_ins_report as (
select
id,
tenant_id,
_ctx,
risk_level_aggregated
from
azuread_sign_in_report
where
risk_level_aggregated = 'high'
and created_date_time::timestamp >= (current_date - interval '7' day)
)
select
tenant_id as resource,
'info' as status,
case
when count(*) < 1 then tenant_id || ' has no risky sign-ins reported in last week.'
else tenant_id || ' has ' || count(*) || ' risky sign-ins reported in last week.'
end as reason
, tenant_id as tenant_id
from
risky_sign_ins_report
group by
tenant_id,
_ctx;

Tags