Azure AD Risk Event Reports
To simplify the tracking and monitoring of this detailed information we’ve introduced a brand-new set of Azure AD risk reports into our product.
These include the following:
Users with leaked credentials
in the dark web. When the service acquires username / password pairs, they are checked against Azure AD users’ current valid credentials. When a match is found, it means that a user’s password has been compromised, and a leaked credentials risk event is created.
Sign-ins from anonymous IP addresses
This report indicates users who have successfully signed in from an IP address that has been identified as an anonymous proxy IP address. These proxies are used by people who want to hide their device’s IP address, and may be used for malicious intent.
Impossible travel to atypical locations
This report is useful to identify suspicious from locations that may be atypical for the user, given past behavior.
Sign-ins from infected devices
This report identifies sign-ins from devices infected with malware. This is determined by correlating IP addresses of the user’s device against IP addresses that were in contact with a bot server.
Sign-ins from IP addresses with suspicious activity
This report indicates the number of failed sign-in attempts, across multiple user accounts, over a short period of time. It’s strong indicator that accounts are either already or are about to be compromised.
Sign-ins from unfamiliar locations
This report considers past sign-in locations to determine new / unfamiliar locations. The system stores information about previous locations used by a user, and considers these “familiar” locations. The risk event is triggered when the sign-in occurs from a location that’s not already in the list of familiar locations.