5.2.6.1 Ensure the Azure AD 'Risky sign-ins' report is reviewed at least weekly

Information

This report contains records of accounts that have had activity that could indicate they are compromised, such as accounts that have:

Successfully signed in after multiple failures, which is an indication that the accounts have cracked passwords.

Signed in to tenant from a client IP address that has been recognized by Microsoft as an anonymous proxy IP address (such as a TOR network).

Successful sign-ins from users where two sign-ins appeared to originate from different regions and the time between sign-ins makes it impossible for the user to have traveled between those regions.

Rationale:

Reviewing this report on a regular basis allows for identification and remediation of compromised accounts.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

To review the 'Risky sign-ins' report:

Navigate to the Microsoft Entra admin center https://entra.microsoft.com.

Click expand Protection select Risky activities.

Under Report click on Risky sign-ins.

Review by Risk level (aggregate).

See Also

https://workbench.cisecurity.org/benchmarks/15279

Item Details

Category: AUDIT AND ACCOUNTABILITY

References: 800-53|AU-6, 800-53|AU-6(1), 800-53|AU-7(1), CSCv7|6.2

Plugin: microsoft_azure

Control ID: d74c245965539ba5413118480509610b9b22d7ffb09932be789dc343de635eac