5.3 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Information

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have: -successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords -signed in to your tenancy from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network) -successful signins from users where two signins appeared to originate from different regions and the time between signins makes it impossible for the user to have traveled between those regions

Rationale:

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the report, perform the following steps using the Azure Portal:

Go to portal.azure.com.

Click Azure Active Directory.

Under Manage click on Security

Under Report click on Risky sign-ins

Review by Risk level (aggregate).

To get risky sign-ins event report programmatically, use following graph API:

https://graph.microsoft.com/beta/identityRiskEvents?$filter=riskEventDateTime gt < 7 days older datetime > and riskEventStatus eq 'active'

See Also

https://workbench.cisecurity.org/files/3729

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: 8cd09185cdb11bde73260ba7991b4abe741965055ee8b2ea7da32e0691b83380