Detection rules › Panther
Azure RiskLevel Passthrough
This detection surfaces an alert based on riskLevelAggregated, riskLevelDuringSignIn, and riskState. riskLevelAggregated and riskLevelDuringSignIn are only expected for Azure AD Premium P2 customers.
MITRE ATT&CK coverage
| Tactic | Techniques |
|---|---|
| Initial Access | T1078 Valid Accounts |
| Credential Access | T1110 Brute Force |
Rule body yaml
AnalysisType: rule
Filename: azure_risklevel_passthrough.py
RuleID: "Azure.Audit.RiskLevelPassthrough"
DisplayName: "Azure RiskLevel Passthrough"
Enabled: true
Threshold: 1
DedupPeriodMinutes: 40
LogTypes:
- Azure.Audit
Severity: Medium
Description: >
This detection surfaces an alert based on
riskLevelAggregated, riskLevelDuringSignIn, and riskState.
riskLevelAggregated and riskLevelDuringSignIn are only
expected for Azure AD Premium P2 customers.
Reference: https://learn.microsoft.com/en-us/entra/id-protection/howto-identity-protection-configure-risk-policies
Reports:
MITRE ATT&CK:
- TA0006:T1110
- TA0001:T1078
Runbook: >
There are a variety of potential responses to these sign-in risks.
MSFT has provided an in-depth reference material at https://learn.microsoft.com/en-us/azure/active-directory/identity-protection/howto-identity-protection-risk-feedback
SummaryAttributes:
- properties:ServicePrincipalName
- properties:UserPrincipalName
- properties:ipAddress
- properties:riskLevelAggregated
- properties:riskLevelDuringSignIn
- properties:riskState
Tests:
- Name: Failed Sign-In
ExpectedResult: False
Log:
{
"calleripaddress": "12.12.12.12",
"category": "ServicePrincipalSignInLogs",
"correlationid": "e1f237ef-6548-4172-be79-03818c04c06e",
"durationms": 0,
"Level": "4",
"location": "IE",
"operationname": "Sign-in activity",
"operationversion": 1,
"p_event_time": "2023-07-26 23:00:20.889",
"p_log_type": "Azure.Audit",
"properties":
{
"appId": "cfceb902-8fab-4f8c-88ba-374d3c975c3a",
"authenticationProcessingDetails":
[{ "key": "Azure AD App Authentication Library", "value": "" }],
"authenticationProtocol": "none",
"clientCredentialType": "none",
"conditionalAccessStatus": "notApplied",
"correlationId": "5889315c-c4ac-4807-99da-e17417eae786",
"createdDateTime": "2023-07-26 22:58:30.983201900",
"crossTenantAccessType": "none",
"flaggedForReview": false,
"id": "36658c78-02d9-4d8f-84ee-5ca4a3fdefef",
"incomingTokenType": "none",
"ipAddress": "12.12.12.12",
"isInteractive": false,
"isTenantRestricted": false,
"location":
{
"city": "Dublin",
"countryOrRegion": "IE",
"geoCoordinates":
{
"latitude": 51.35555555555555,
"longitude": -5.244444444444444,
},
"state": "Dublin",
},
"managedIdentityType": "none",
"processingTimeInMilliseconds": 0,
"resourceDisplayName": "Azure Storage",
"resourceId": "037694de-8c7d-498d-917d-edb650090fa5",
"resourceServicePrincipalId": "a225221f-8cc5-411a-9cc7-5e1394b8a5b8",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"servicePrincipalId": "b1c34143-e405-4058-8e29-84596ad737b8",
"servicePrincipalName": "some-service-principal",
"status": { "errorCode": 7000215 },
"tokenIssuerType": "AzureAD",
"uniqueTokenIdentifier": "NDDDDDDDDDDDDDDDDDD_DD",
},
"resourceid": "/tenants/c0dd2fa0-71be-4df8-b2a6-24cee7de069a/providers/Microsoft.aadiam",
"resultsignature": "None",
"resulttype": 7000215,
"tenantid": "a2aa49aa-2c0c-49d2-af87-f402c421df0b",
"time": "2023-07-26 23:00:20.889",
}
- Name: Failed Sign-In with riskLevelAggregated
ExpectedResult: True
Log:
{
"calleripaddress": "12.12.12.12",
"category": "ServicePrincipalSignInLogs",
"correlationid": "e1f237ef-6548-4172-be79-03818c04c06e",
"durationms": 0,
"Level": "4",
"location": "IE",
"operationname": "Sign-in activity",
"operationversion": 1,
"p_event_time": "2023-07-26 23:00:20.889",
"p_log_type": "Azure.Audit",
"properties":
{
"appId": "cfceb902-8fab-4f8c-88ba-374d3c975c3a",
"authenticationProcessingDetails":
[{ "key": "Azure AD App Authentication Library", "value": "" }],
"authenticationProtocol": "none",
"clientCredentialType": "none",
"conditionalAccessStatus": "notApplied",
"correlationId": "5889315c-c4ac-4807-99da-e17417eae786",
"createdDateTime": "2023-07-26 22:58:30.983201900",
"crossTenantAccessType": "none",
"flaggedForReview": false,
"id": "36658c78-02d9-4d8f-84ee-5ca4a3fdefef",
"incomingTokenType": "none",
"ipAddress": "12.12.12.12",
"isInteractive": false,
"isTenantRestricted": false,
"location":
{
"city": "Dublin",
"countryOrRegion": "IE",
"geoCoordinates":
{
"latitude": 51.35555555555555,
"longitude": -5.244444444444444,
},
"state": "Dublin",
},
"managedIdentityType": "none",
"processingTimeInMilliseconds": 0,
"resourceDisplayName": "Azure Storage",
"resourceId": "037694de-8c7d-498d-917d-edb650090fa5",
"resourceServicePrincipalId": "a225221f-8cc5-411a-9cc7-5e1394b8a5b8",
"riskDetail": "none",
"riskLevelAggregated": "low",
"riskLevelDuringSignIn": "none",
"riskState": "none",
"servicePrincipalId": "b1c34143-e405-4058-8e29-84596ad737b8",
"servicePrincipalName": "some-service-principal",
"status": { "errorCode": 7000215 },
"tokenIssuerType": "AzureAD",
"uniqueTokenIdentifier": "NDDDDDDDDDDDDDDDDDD_DD",
},
"resourceid": "/tenants/c0dd2fa0-71be-4df8-b2a6-24cee7de069a/providers/Microsoft.aadiam",
"resultsignature": "None",
"resulttype": 7000215,
"tenantid": "a2aa49aa-2c0c-49d2-af87-f402c421df0b",
"time": "2023-07-26 23:00:20.889",
}
- Name: Failed Sign-In with riskLevelDuringSignIn
ExpectedResult: True
Log:
{
"calleripaddress": "12.12.12.12",
"category": "ServicePrincipalSignInLogs",
"correlationid": "e1f237ef-6548-4172-be79-03818c04c06e",
"durationms": 0,
"Level": "4",
"location": "IE",
"operationname": "Sign-in activity",
"operationversion": 1,
"p_event_time": "2023-07-26 23:00:20.889",
"p_log_type": "Azure.Audit",
"properties":
{
"appId": "cfceb902-8fab-4f8c-88ba-374d3c975c3a",
"authenticationProcessingDetails":
[{ "key": "Azure AD App Authentication Library", "value": "" }],
"authenticationProtocol": "none",
"clientCredentialType": "none",
"conditionalAccessStatus": "notApplied",
"correlationId": "5889315c-c4ac-4807-99da-e17417eae786",
"createdDateTime": "2023-07-26 22:58:30.983201900",
"crossTenantAccessType": "none",
"flaggedForReview": false,
"id": "36658c78-02d9-4d8f-84ee-5ca4a3fdefef",
"incomingTokenType": "none",
"ipAddress": "12.12.12.12",
"isInteractive": false,
"isTenantRestricted": false,
"location":
{
"city": "Dublin",
"countryOrRegion": "IE",
"geoCoordinates":
{
"latitude": 51.35555555555555,
"longitude": -5.244444444444444,
},
"state": "Dublin",
},
"managedIdentityType": "none",
"processingTimeInMilliseconds": 0,
"resourceDisplayName": "Azure Storage",
"resourceId": "037694de-8c7d-498d-917d-edb650090fa5",
"resourceServicePrincipalId": "a225221f-8cc5-411a-9cc7-5e1394b8a5b8",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "high",
"riskState": "none",
"servicePrincipalId": "b1c34143-e405-4058-8e29-84596ad737b8",
"servicePrincipalName": "some-service-principal",
"status": { "errorCode": 7000215 },
"tokenIssuerType": "AzureAD",
"uniqueTokenIdentifier": "NDDDDDDDDDDDDDDDDDD_DD",
},
"resourceid": "/tenants/c0dd2fa0-71be-4df8-b2a6-24cee7de069a/providers/Microsoft.aadiam",
"resultsignature": "None",
"resulttype": 7000215,
"tenantid": "a2aa49aa-2c0c-49d2-af87-f402c421df0b",
"time": "2023-07-26 23:00:20.889",
}
- Name: Failed Sign-In with riskLevelDuringSignIn and dismissed
ExpectedResult: False
Log:
{
"calleripaddress": "12.12.12.12",
"category": "ServicePrincipalSignInLogs",
"correlationid": "e1f237ef-6548-4172-be79-03818c04c06e",
"durationms": 0,
"Level": "4",
"location": "IE",
"operationname": "Sign-in activity",
"operationversion": 1,
"p_event_time": "2023-07-26 23:00:20.889",
"p_log_type": "Azure.Audit",
"properties":
{
"appId": "cfceb902-8fab-4f8c-88ba-374d3c975c3a",
"authenticationProcessingDetails":
[{ "key": "Azure AD App Authentication Library", "value": "" }],
"authenticationProtocol": "none",
"clientCredentialType": "none",
"conditionalAccessStatus": "notApplied",
"correlationId": "5889315c-c4ac-4807-99da-e17417eae786",
"createdDateTime": "2023-07-26 22:58:30.983201900",
"crossTenantAccessType": "none",
"flaggedForReview": false,
"id": "36658c78-02d9-4d8f-84ee-5ca4a3fdefef",
"incomingTokenType": "none",
"ipAddress": "12.12.12.12",
"isInteractive": false,
"isTenantRestricted": false,
"location":
{
"city": "Dublin",
"countryOrRegion": "IE",
"geoCoordinates":
{
"latitude": 51.35555555555555,
"longitude": -5.244444444444444,
},
"state": "Dublin",
},
"managedIdentityType": "none",
"processingTimeInMilliseconds": 0,
"resourceDisplayName": "Azure Storage",
"resourceId": "037694de-8c7d-498d-917d-edb650090fa5",
"resourceServicePrincipalId": "a225221f-8cc5-411a-9cc7-5e1394b8a5b8",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "high",
"riskState": "dismissed",
"servicePrincipalId": "b1c34143-e405-4058-8e29-84596ad737b8",
"servicePrincipalName": "some-service-principal",
"status": { "errorCode": 7000215 },
"tokenIssuerType": "AzureAD",
"uniqueTokenIdentifier": "NDDDDDDDDDDDDDDDDDD_DD",
},
"resourceid": "/tenants/c0dd2fa0-71be-4df8-b2a6-24cee7de069a/providers/Microsoft.aadiam",
"resultsignature": "None",
"resulttype": 7000215,
"tenantid": "a2aa49aa-2c0c-49d2-af87-f402c421df0b",
"time": "2023-07-26 23:00:20.889",
}
- Name: Missing RiskState
ExpectedResult: False
Log:
{
"calleripaddress": "12.12.12.12",
"category": "ServicePrincipalSignInLogs",
"correlationid": "e1f237ef-6548-4172-be79-03818c04c06e",
"durationms": 0,
"Level": "4",
"location": "IE",
"operationname": "Sign-in activity",
"operationversion": 1,
"p_event_time": "2023-07-26 23:00:20.889",
"p_log_type": "Azure.Audit",
"properties":
{
"appId": "cfceb902-8fab-4f8c-88ba-374d3c975c3a",
"authenticationProcessingDetails":
[{ "key": "Azure AD App Authentication Library", "value": "" }],
"authenticationProtocol": "none",
"clientCredentialType": "none",
"conditionalAccessStatus": "notApplied",
"correlationId": "5889315c-c4ac-4807-99da-e17417eae786",
"createdDateTime": "2023-07-26 22:58:30.983201900",
"crossTenantAccessType": "none",
"flaggedForReview": false,
"id": "36658c78-02d9-4d8f-84ee-5ca4a3fdefef",
"incomingTokenType": "none",
"ipAddress": "12.12.12.12",
"isInteractive": false,
"isTenantRestricted": false,
"location":
{
"city": "Dublin",
"countryOrRegion": "IE",
"geoCoordinates":
{
"latitude": 51.35555555555555,
"longitude": -5.244444444444444,
},
"state": "Dublin",
},
"managedIdentityType": "none",
"processingTimeInMilliseconds": 0,
"resourceDisplayName": "Azure Storage",
"resourceId": "037694de-8c7d-498d-917d-edb650090fa5",
"resourceServicePrincipalId": "a225221f-8cc5-411a-9cc7-5e1394b8a5b8",
"riskDetail": "none",
"riskLevelAggregated": "none",
"riskLevelDuringSignIn": "none",
"servicePrincipalId": "b1c34143-e405-4058-8e29-84596ad737b8",
"servicePrincipalName": "some-service-principal",
"status": { "errorCode": 7000215 },
"tokenIssuerType": "AzureAD",
"uniqueTokenIdentifier": "NDDDDDDDDDDDDDDDDDD_DD",
},
"resourceid": "/tenants/c0dd2fa0-71be-4df8-b2a6-24cee7de069a/providers/Microsoft.aadiam",
"resultsignature": "None",
"resulttype": 7000215,
"tenantid": "a2aa49aa-2c0c-49d2-af87-f402c421df0b",
"time": "2023-07-26 23:00:20.889",
}
Detection logic
Condition
operationName eq "Sign-in activity"
properties.riskState not in ["dismissed", "remediated"]
properties in ["low", "medium", "high"] or properties in ["low", "medium", "high"]
This rule also runs imperative logic the parser cannot express as a filter; the conditions above are the structured part it could extract.
Exclusions
Top-level NOT(...) conjuncts: predicates this rule actively suppresses.
| Field | Kind | Excluded values |
|---|---|---|
properties.riskState | in | dismissed, remediated |
Indicators
Each row is a field, operator, and value that the rule matches. The corpus column counts how many other rules in the catalog look for the same combination: high numbers point to widely-used, community-vetted indicators. Blank or 1 shows that the indicator is specific to this rule.
| Field | Kind | Values |
|---|---|---|
operationName | eq |
|
properties | in |
|