RiskyDetections‐Analyzer
RiskyDetections-Analyzer.ps1 is a PowerShell script utilized to simplify the analysis of the identity-based risk detections from the Entra ID Identity Protection extracted via Microsoft-Extractor-Suite by Invictus-IR.
Fig 1: RiskyDetections-Analyzer
Fig 2: Risky Detections (1)
Fig 3: Risky Detections (2)
Fig 4: Risky Detections (Line Chart)
Fig 5: MITRE ATT&CK Techniques (Stats)
Fig 6: RiskEventType (Stats)
Fig 7: RiskLevel (Stats)
Fig 8: Source (Stats)
| ID | Description |
|---|---|
| T1078 | Valid Accounts |
| T1078.004 | Valid Accounts: Cloud Accounts |
| T1090.003 | Proxy: Multi-hop Proxy |
| T1110.001 | Brute Force: Password Guessing |
| T1110.003 | Brute Force: Password Spraying |
| T1114.003 | Email Collection: Email Forwarding Rule |
| T1539 | Steal Web Session Cookie |
| T1564.008 | Hide Artifacts: Email Hiding Rules |
| T1589.001 | Gather Victim Identity Information: Credentials |
| RiskDetail | Description |
|---|---|
| adminConfirmedSigninCompromised | An administrator marked the sign-in as compromised. |
| adminConfirmedSigninSafe | An administrator marked the sign-in as safe. |
| adminConfirmedUserCompromised | An administrator marked the user as compromised. |
| adminDismissedAllRiskForUser | An administrator dismissed all risk for the user. |
| adminGeneratedTemporaryPassword | An administrator generated a temporary password. |
| aiConfirmedSigninSafe | AI marked the sign-in as safe. |
| hidden | Microsoft Entra ID P2 required. |
| m365DAdminDismissedDetection | Microsoft 365 Defender and Defender for Identity state and reasons returned to Identity Protection. |
| none | None |
| unknownFutureValue | Unknown |
| userPassedMFADrivenByRiskBasedPolicy | A user successfully passed a multifactor authentication that was triggered by a risk-based policy. |
| userPerformedSecuredPasswordChange | A user performed a password change. |
| userPerformedSecuredPasswordReset | A user performed a password reset. |
| RiskEventType | Description | DetectionTimingType |
|---|---|---|
| adminConfirmedUserCompromised | This detection indicates an admin has selected 'Confirm user compromised' in the Risky users UI or using riskyUsers API. To see which admin has confirmed this user compromised, check the user's risk history (via UI or API). | offline |
| anomalousToken | This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. This detection covers Session Tokens and Refresh Tokens. | offline, realtime |
| anomalousUserActivity | This risk detection baselines normal administrative user behavior in Microsoft Entra ID, and spots anomalous patterns of behavior like suspicious changes to the directory. The detection is triggered against the administrator making the change or the object that was changed. | ??? |
| anonymizedIPAddress | This detection is discovered using information provided by Microsoft Defender for Cloud Apps. This detection identifies that users were active from an IP address that has been identified as an anonymous proxy IP address. | realtime |
| attackerinTheMiddle | ??? | ??? |
| attemptedPRTAccess | ??? | ??? |
| generic | Indicates that the user was not enabled for Identity Protection. | offline, realtime |
| impossibleTravel | This detection is discovered using information provided by Microsoft Defender for Cloud Apps. This detection identifies user activities (is a single or multiple sessions) originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second. This risk might indicate that a different user is using the same credentials. | ??? |
| investigationsThreatIntelligence | This risk detection type indicates user activity that is unusual for the user or consistent with known attack patterns. This detection is based on Microsoft's internal and external threat intelligence sources. | realtime |
| investigationsThreatIntelligenceSigninLinked | ??? | ??? |
| suspiciousSendingPatterns | ??? | ??? |
| leakedCredentials | This risk detection type indicates that the user's valid credentials have been leaked. When cybercriminals compromise valid passwords of legitimate users, they often share these gathered credentials. This sharing is typically done by posting publicly on the dark web, paste sites, or by trading and selling the credentials on the black market. When the Microsoft leaked credentials service acquires user credentials from the dark web, paste sites, or other sources, they're checked against Microsoft Entra users' current valid credentials to find valid matches. | offline |
| maliciousIPAddress | This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on high failure rates because of invalid credentials received from the IP address or other IP reputation sources. | offline |
| maliciousIPAddressValidCredentialsBlockedIP | ??? | ??? |
| malwareInfectedIPAddress | Indicates sign-ins from IP addresses infected with malware. Deprecated and no longer generated for new detections. | -/- |
| mcasFinSuspiciousFileAccess | ??? | ??? |
| mcasImpossibleTravel | ??? | ??? |
| mcasSuspiciousInboxManipulationRules | This detection is discovered using information provided by Microsoft Defender for Cloud Apps. This detection looks at your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This detection might indicate: a user's account is compromised, messages are being intentionally hidden, and the mailbox is being used to distribute spam or malware in your organization. | offline |
| nationStateIP | ??? | realtime |
| newCountry | This detection is discovered using information provided by Microsoft Defender for Cloud Apps. This detection considers past activity locations to determine new and infrequent locations. The anomaly detection engine stores information about previous locations used by users in the organization. | ??? |
| passwordSpray | A password spray attack is where multiple usernames are attacked using common passwords in a unified brute force manner to gain unauthorized access. This risk detection is triggered when a password spray attack has been successfully performed. For example, the attacker is successfully authenticated, in the detected instance. | offline |
| riskyIPAddress | This detection is discovered by Microsoft Defender for Cloud Apps. Users were active from an IP address that has been identified as an anonymous proxy IP address. | offline |
| suspiciousAPITraffic | This risk detection is reported when abnormal Graph traffic or directory enumeration is observed by a user. Suspicious API traffic might suggest that a user is compromised and conducting reconnaissance in their environment. | ??? |
| suspiciousBrowser | Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. | ??? |
| suspiciousInboxForwarding | This detection is discovered using information provided by Microsoft Defender for Cloud Apps. This detection looks for suspicious email forwarding rules, for example, if a user created an inbox rule that forwards a copy of all emails to an external address. | ??? |
| suspiciousIPAddress | Identifies logins from IP addresses that are known to be malicious at the time of the sign in. | ??? |
| suspiciousSendingPatterns | This risk detection type is discovered using information provided by Microsoft Defender for Office (MDO). This alert is generated when someone in your organization has sent suspicious email and is either at risk of being restricted from sending email or has already been restricted from sending email. This detection moves users to medium risk and only fires in organizations that have deployed MDO. This detection is low-volume and is seen infrequently in most organizations. | offline |
| tokenIssuerAnomaly | This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. The claims included in the token are unusual or match known attacker patterns. | ??? |
| unfamiliarFeatures | This risk detection type considers past sign-in history to look for anomalous sign-ins. The system stores information about previous sign-ins, and triggers a risk detection when a sign-in occurs with properties that are unfamiliar to the user. These properties can include IP, ASN, location, device, browser, and tenant IP subnet. Newly created users are in "learning mode" period where the unfamiliar sign-in properties risk detection is turned off while our algorithms learn the user's behavior. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. The minimum duration is five days. A user can go back into learning mode after a long period of inactivity. | realtime |
| unknownFutureValue | Unknown | -/- |
| unlikelyTravel | This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations might also be atypical for the user, given past behavior. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would take for the user to travel from the first location to the second. This risk might indicate that a different user is using the same credentials. The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior. | offline |
| userReportedSuspiciousActivity | ??? | ??? |
Note
Real-time detections might not show up in reporting for 5 to 10 minutes.
Offline detections might not show up in reporting for 48 hours.
Microsoft Graph - riskDetection resource type
Microsoft Graph Beta - riskDetection resource type
Microsoft Entra ID Protection - What are risk detections?