For those that have Azure Risk Based Signin Detection

scot_perkins · September 18, 2024, 8:23pm

If you are pulling the user risk detection alerts from Azure… It’s worth pointing out that IDR does not have a built-in detection for these alerts, in fact, these logs aren’t even parsed by Rapid7 which is a whole separate discussion but I thought it would be worth sharing the following LEQL query against your unparsed Azure AD logs so that you can create alerts in IDR when those events happen.

where("operationName" = "User Risk Detection" and "properties.riskLevel" != "low" and "properties.riskState" = "atRisk")

mmur_gt4e · September 19, 2024, 6:57am

Yay! That´s a great detection rule, thanks for sharing

mblough · September 20, 2024, 8:17pm

Thank you for this.

rpulvera · September 24, 2024, 2:03pm

what is the recommended action when such alert came in? Is it recommended to reset the password of the user at risk?

scot_perkins · September 24, 2024, 4:08pm

We typically reach out to the user over the phone and ask them to verify this was expected or if they are traveling or we have them send us the link of the service they were logging into at the time so we can verify the log in.