Monitoring High Risk Azure Logins
ID: 6c5b986b-056b-5a89-b441-9199e272d2cf
STIX ID: report--6c5b986b-056b-5a89-b441-9199e272d2cf
Feed Name: Black Hills Infosec Blog
Threat Score
This report describes how a SOC detected and investigated Business Email Compromise (BEC) and account takeover activity using Azure/Entra Identity Protection signals. It outlines key attributes to examine (IP, operating system, ASN, country), discusses common false positives (travel, mobile devices), summarizes Entra risk detection event types, and provides a Sigma rule to detect high-risk atRisk sign-ins that require multi-factor authentication — indicating likely credential compromise.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.