Risky Users and Sign-in Risk
Azure AD Identity Protection
Evaluate risky users and sign-in risk for your organization!
How Does Microsoft Evaluate Risk?
They evaluate signals generated by sign-in’s and user activity within Azure and Microsoft 365 tools and services.
Users
Sign-in's
Detection Methods
Real-time
Offline
Sign-in Risk
Premium Sign-in Risk Detections
Atypical travel
Detection: Offline
This risk detection type identifies sign-ins originating from geographically distant locations. In this scenario with past sign-in behavior data collect, at least one of the locations may be atypical for the user.
Malicious IP address
Detection:
Offline
This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources.
New country
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps and considers past activity locations to determine new, infrequent locations. Anomaly detection stores information about previous locations used by users in the organization.
Anomalous Token
Detection:
Offline
This detection type covers Session Tokens and Refresh Tokens indicating that there are abnormal characteristics such as an unusual lifetime or an unfamiliar location.
Suspicious inbox manipulation rules
Detection:
Offline
This detection triggers alerts if an end user inbox has any messages or folders moved or deleted. This detection may indicate that an account is compromised, messages are being intentionally hidden, or the mailbox is being used to distribute spam and malware across your organization.
Activity from anonymous IP address
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection identifies that the IP address has been identified as an anonymous proxy IP address.
Token Issuer Anomaly
Detection:
Offline
This risk detection indicates the token issuer is potentially compromised. The claims match known attacker behavior or inconsistent patterns.
Password spray
Detection:
Offline
Microsoft Defender for Cloud Apps discovers and detects suspicious email forwarding rules. Cyberattacks often involve an inbox rule that forwards a copy of all company emails to a hacker’s external address.
Suspicious inbox forwarding
Detection:
Offline
This detection is discovered by Microsoft Defender for Cloud Apps. This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address.
Suspicious browser
Detection:
Offline
This detection indicates suspicious, anomalous sign-in activity from different countries in the same browser.
Impossible travel
Detection:
Offline
Microsoft Defender for Cloud Apps identifies and detects user activities originating from geographically distant locations within a shorter time period than the time it takes to travel from location to location. This risk may indicate that a different user is using the same account credentials.
Mass Access to Sensitive Files
Detection:
Offline
Microsoft Defender for Cloud Apps looks, detects, and triggers alerts when users access multiple files from SharePoint or OneDrive. An alert is triggered only if the number of accessed files is uncommon for the user or if the files contain sensitive information.
Unfamiliar sign-in properties
Detection:
Real-time
This risk detection indicates that the token issuer is potentially compromised. The claims include that the token is unusual or matches known attackers.
Sign-in Risk
Nonpremium Sign-in Risk Detections
Additional risk detected
Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Azure AD Premium P2 licenses are paramount for risk detection.
Anonymous IP address
Detection: Real-time
This risk detection type indicates when sign-ins from anonymous IP addresses are used by bad actors attempting anomalous sign-ins for malicious intent.
Admin confirmed user compromised
Detection:
Offline
This detection indicates when an admin confirms a risky user has been compromised.
Azure AD threat intelligence
Detection:
Offline
This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources.
User Linked Detections
Premium User Detections
Possible attempt to access Primary Refresh Token (PRT)
Detection: Offline
Microsoft Defender for Endpoint (MDE) detects tokens that enable seamless or single sign-on (SSO) across applications and devices. Usually, attackers perform credential theft or often attempt to move laterally after initial breach into a business.
Anomalous user activity
Detection:
Offline
This creates normal administrative baselines for behavior and spots anomalies like changes to the Azure Active Directory. The detection is triggered when the admin changes something.
User reported suspicious activity
Detection:
Offline
This risk detection happens when a multifactor authentication (MFA) prompt is denied. It may mean that the user’s identity is compromised.
User Linked Dections
Nonpremium User Risk Detections
Additional risk detected
Detection: Real-time or Offline
This detection indicates that there is additional risk detected usual as a risky user or via a user sign-in risk. Azure AD Premium P2 licenses are paramount for risk detection.
Leaked credentials
Detection:
Offline
When hackers compromise valid passwords of legitimate users, they often share them on the dark web or black market. Microsoft leaked credentials checks the dark web for Azure AD credentials to find matches.
Azure AD threat intelligence
Detection:
Offline
This internal and external threat detection type indicates unusual user activity consistent with known cyberattacks.
Company Details
- DUNS Number: 078570307
- CAGE Code: 6TX26
- NAICS Codes: 541690, 541990, 541611, 54618, 611420, 541370, 541519
Contact
- HQS - Spring Lake, MI
- Phone: 1 (833) 568-3925
- Email: info@jadexstrategic.com
Codes & Certs
- VOSB - self-certified
- SBA 8(a) - pending
Services
- Microsoft 365 Solutions
- Assessments
- Security
- Training