Share via

Is there a way to Detect the Risk type in a risky user

Rahul Ramachandran 1 Reputation point
2021-11-09T09:55:34.617+00:00

Example - if a user marked as risky user and we want to know whether this risk is due to Leaked credential? and if possible which is the attribute used in Azure AD for this ? We have sentinal to fetch this details and its connected to another system end goal to trigger an alert for only Leaked credentials

Microsoft Sentinel
Microsoft Sentinel
A scalable, cloud-native solution for security information event management and security orchestration automated response. Previously known as Azure Sentinel.
1,294 questions
Microsoft Entra ID
Microsoft Entra ID
A Microsoft Entra identity service that provides identity management and access control capabilities. Replaces Azure Active Directory.
25,041 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. VipulSparsh-MSFT 16,306 Reputation points Microsoft Employee
    2021-11-09T11:38:29.913+00:00

    @Rahul Ramachandran Thanks for reaching out. Are you referring to the Detection type field in Risky user reporting. Something like this :

    147680-image.png

    Once the logs are sent to Sentinel, Sentinel would have option to query the Risky users and find if the event was raised for leaked credential. Are you looking for a dedicated KQL for this for creating a analytic query ?

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.