Risky Signin Analytic Dashboard
When & How to use this dashboard
- Monitoring:Selecting the risk value and leave the user as * for global monitoring
- Threat Hunting:Expanding the time range to find out the high suspicious activity account then drilldown
- User sign-in activity tracking:Drilldown an user sign-in activities by inputting a specify account and select the corresponding risk value from “Multiselect-Risk Value”
Panel Descriptions
- Above panel use the fixed "high” risky sign-in condition to present the daily high suspicious sign-in activity account count
- The increase/decrease percentage is compared with yesterday count
- Above panel use the fixed “Time Range = Last 30 days” condition to present a trend view of the daily high suspicious sign-in activity account in 1 month
- Above panel use the Global Time Range and Multiselect-Risk Value conditions to present top 10 AAD failure/success accounts
- Above panel providing a drilldown aggregation events by selecting the top 10 failure/success account you might interested in
- Above panel use the Global Time Range, Multiselect-Risk Value conditions to present every account which has both failure and success sign-in events correlation results
- That account has higher count might presents the possibility of under attack
- This panel does not apply a top N limitation in condition, so you might observe the total accounts are larger than the “Top 10 panel”
- Azure AD Audit Event panel provides a drilldown aggregation AAD audit events by clicking the “Suspicious Signin Activity Account”
- User Identity Information panel provides the user identity information by clicking the “Suspicious Signin Activity Account” and present the lookup results in table
- Above panel provides a drilldown aggregation event view to present the signin activities of the selected account, and sorting by time column to let analyst figure out the impossible travel record more clearly
- This sample presents that account had a historical under high possibility attack series
- Above panel presents the selected account risky sign-in activities source IP and geographic map
- Drilldown-By Clicking the SourceIP value to propagate the IP address to enrich CTI lookup
- Above 3 panels provide normal sign-in properties view of the selected account to let cybersecurity analyst compared with the abnormal drilldown view more clearly
- Above panel use fixed “Time Range = Last 30 days” condition to present all the failure/success sign-in events in geographic map view to let analyst compared with the abnormal source location more clearly
- Above panels provide how many signatures detected of the selected user and present as a pie chart and provide a drilldown aggregation event view to present those alert events
- If “Suspicious Signin Activity Account” presents nothing, that means user account might under some of attacks such as password spray and brute force attack but not successful, because no event matching the strict conditions(must have both failure and success events and within the specified risk value).
Notes
- If “Suspicious Signin Activity Account” panel presents nothing, this may means user account might under some of attacks such as password spray and brute force attack but not successful, because no event matching the strict conditions(must have both failure and success events and within the specified risk value).
- Not all accounts were presented in “Suspicious Signin Activity Account” panel were determined as True-Positive, but a higher count might be an indicator, and need cybersecurity analyst to have a look.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.