Unfamiliar sign-in properties can be detected on both interactive and non-interactive sign-ins. We recommend our customers to move to modern authentication. Because these protocols don't have modern properties such as client ID, there's limited telemetry to reduce false positives. We also run this detection for basic authentication (or legacy protocols). A user can go back into learning mode after a long period of inactivity. The learning mode duration is dynamic and depends on how much time it takes the algorithm to gather enough information about the user's sign-in patterns. Newly created users will be in "learning mode" period where the unfamiliar sign-in properties risk detection will be turned off while our algorithms learn the user's behavior. These properties can include IP, ASN, location, device, browser, and tenant IP subnet. The system stores information about previous sign-ins, and triggers a risk detection when a sign-in occurs with properties that are unfamiliar to the user. This risk detection type considers past sign-in history to look for anomalous sign-ins. Suspicious browser detection indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser. Customers who currently have "Malware linked IP address" detections in their tenant will still be able to view, remediate, or dismiss them until the 90-day detection retention time is reached. Identity Protection will no longer generate new "Malware linked IP address" detections. This detection matches the IP addresses of the user's device against IP addresses that were in contact with a bot server while the bot server was active. This risk detection type indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server. The claims included in the token are unusual or match known attacker patterns. This risk detection indicates the SAML token issuer for the associated SAML token is potentially compromised. If the location, application, IP address, User Agent, or other characteristics are unexpected for the user, the tenant admin should consider this risk as an indicator of potential token replay. We recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user. Because this is a high noise detection, there's a higher than normal chance that some of the sessions flagged by this detection are false positives. This tradeoff is chosen to increase the likelihood of detecting replayed tokens that may otherwise go unnoticed. NOTE: Anomalous token is tuned to incur more noise than other detections at the same risk level. This detection covers Session Tokens and Refresh Tokens. This detection indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location. The system has an initial learning period of the earliest of 14 days or 10 logins, during which it learns a new user's sign-in behavior. The algorithm ignores obvious "false positives" contributing to the impossible travel conditions, such as VPNs and locations regularly used by other users in the organization. This risk may indicate that a different user is using the same credentials. The algorithm takes into account multiple factors including the time between the two sign-ins and the time it would have taken for the user to travel from the first location to the second. This risk detection type identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior. Sign-in risk Premium sign-in risk detections Risk detection Customers without Azure AD Premium P2 licenses still receive the premium detections but they'll be titled "additional risk detected". Premium detections are visible only to Azure AD Premium P2 customers. Our system will dismiss the risk state and a risk detail of “AI confirmed sign-in safe” will show and no longer contribute to the user’s overall risk. The user risk was remediated by policy by either:.Our system may detect that the risk event that contributed to the risk user risk score was either:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |