Active Directory Identity Protection Alerts & Using Microsoft Sentinel For the Deets
Ever get one of these? An alert that says "User at Risk Detected... We detected a new user with at least high risk in your [company] directory. This might be because we noticed suspicious account activity or we found their emails and passwords posted in a public location." This is Azure AD Identity Protection at work. But if you click on "View Detailed Report" to dig into the risk events, you may get the rather vague "Unfamiliar Sign in Properties" as the source of the alert. But.what property in particular caused this alert? The portal doesn't seem to say. The good news is you may be able to find the answer in Sentinel. Use this query to look at the high risk detection: //The details on identity protection risk detections, highlighting what you're probably looking for @tinyinfosec May, 2022 //Then go back to SignInLogs to review all recent signins in context SecurityAlert | where ProductName == "Azure Active Directory Identity Protectio...