Share via

Setting up alerts for risky signins

Cataster 681 Reputation points
2024-12-05T19:10:09.7166667+00:00

We recently received found a risky signin for a user (e.g. IP address was pointing at some location different from actual location) and following investigation it was discovered the user had clicked on a phishing email for some sharepoint document. MFA sessions were revoked and password reset as recovery action, but this type of scenario was only discovered by someone on the team who manually captures risky signin results weekly. So it just so happened we were lucky it was discovered the day of, but next time, maybe a risky signin like this could go by unnoticed and could pose security risk!

Currently Microsoft Defender alerts us when a malware is detetced on an endpoint and we receive emails for those which we start investigating immediately, so we are examining setting up an alerting of some sort similarly for which if a risky signin like this is detected, and wanted to ask here what would be the simplest and best way to setup such alerts?

We use Microsoft Defender, but also contemplating integrating a SIEM like Sentinel.

However, we are trying to find out what value would sentinel really provide us ... if alerts can be setup without the need for sentinel, is it simply through log analytics KQL queries? or just simply using ID protection?

Or would sentinel be best suited for something like this?

I came across this for example but it just shows querying but not really how that can be used to set up alerts

https://jeffreyappel.nl/stream-azure-ad-identity-protection-events-to-azure-sentinel-log-analytics/

So we are trying to find out the best approach to implement this and what value would a SIEM like sentinel then provide if this can just be done with log analytics or ID protection...

Microsoft 365 and Office | SharePoint | For business | Windows
Microsoft Security | Microsoft Entra | Microsoft Entra ID
Microsoft Security | Microsoft Sentinel
0 comments
Accepted answer
  1. Marti Peig 970 Reputation points Microsoft Employee
    2024-12-05T19:59:09.7+00:00

    Hi Cataster,

    You should check Microsoft Entra ID Protection notifications, particularly Configure users at risk detected alerts section. Configure the users at risk email in the Microsoft Entra admin center under Protection > Identity Protection > Users at risk detected alerts.

    1. Go to the Azure portal.
    2. Navigate to Entra ID > Security > Identity Protection.
    3. Under Identity Protection, Check Users at risk detected alerts under Settings.

    To better understand these alerts, please review Users at risk detected email section.

    As of what is the value of Microsoft Sentinel, using it to monitor Identity Protection enhances detection, streamlines incident response, and provides deeper visibility into your organization's security posture. It allows for automated and informed decision-making, reduces response times, and improves the overall effectiveness of your identity and access management strategy. In summary, it does a lot more than simply notifications, it can orchestrate your security.

    I hope it helps.

0 additional answers

Sort by: Most helpful
Most helpful Newest Oldest

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.