If you suspect the account has been compromised, scope potentially compromised assets by tracking servers, services,Īnd data accessed by the account in the last 24 hours. Check if this operation was approved and performed according to the organization's change management policy. Contact the account owner and confirm whether they are aware of this activity. Investigate other alerts associated with the user account during the past 48 hours. Consider the source IP address and geolocation for the involved user account. Identify the user account involved and validate whether the suspicious activity is normal for that user. A list with descriptions can be found (). Identify the Risk Detection that triggered the event. This rule identifies events produced by the Microsoft Identity Protection with a risk state equal to `confirmedCompromised` Microsoft Identity Protection is an Azure AD security tool that detects various types of identity risks and attacks. # Investigating Azure Active Directory High Risk User Sign-in Heuristic
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |