Identity and Risk in Azure
One of the things that got me curious as I was wandering through my studies and study notes was the concept of the reports of "risk" in Azure.
Risk can be detected at the User and Sign-in level and two types of detection or calculation Real-time and Offline. Some risks are considered premium available to Azure AD Premium P2 customers only, while others are available to Free and Azure AD Premium P1 customers.
The following URL was very helpful in understanding this:
https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks
This was interesting:
"Suspicious inbox manipulation rules - This detection profiles your environment and triggers alerts when suspicious rules that delete or move messages or folders are set on a user's inbox. This detection may indicate that the user's account is compromised, that messages are being intentionally hidden, and that the mailbox is being used to distribute spam or malware in your organization."
This will detect potential compromise AND those who exhibit the "sketchy" habit of being organized. I will always be on this list - since I love the user inbox rules. Automated reports and alerts that I may be copied on (but not necessarily need to act upon) would be moved to the appropriate folder. As time allows, I would notice the "unread" number and take a look. And they are already sorted into a folder in case I need to use them for researching something. Note that there is a separate item that covers "Suspicious inbox forwarding" which would detect inbox rules that forward everything to an external address. That you won't see on mine. My point with this paragraph is that some (one) of the detections could potentially have a legitimate use. If you work in Security, don't go into reports like this with a sword (assuming malice), but instead read them with a magnifying glass and a Sherlock Holmes hat. Even though this is correlated data, it's still data. It is not "proof" of compromise or malice.
Another interesting item on that page:
"Additional risk detected -- This detection indicates that one of the premium detections was detected. Since the premium detections are visible only to Azure AD Premium P2 customers, they're titled "additional risk detected" for customers without Azure AD Premium P2 licenses."
Since this points to the "value add" for the P2 licenses, I can see this as being involved in some type of question on the exam.
I've always found that if you're trying to remember A vs B, the easiest way is to remember the shorter list and everything else is.... the other one.
For sign-in risk - Anonymous IP address (real-time), Admin confirmed user compromised (offline) and Azure AD Threat Intelligence (offline) are the three non-P2 risk items. Everything else that you know can be detected and reported requires a P2 license.
For user risk detections - Possible attempt to access Primary Refresh Token (PRT) is P2 and everything else is non-P2 premium.
For user detections vs sign-in detections... "Leaked credentials" is only on the USER detections. "Azure AD Threat Intelligence" is on both sign-in AND user detections and is always for EVERYONE (non-P2). It is offline and very vague: "This risk detection type indicates user activity that is unusual for the given user or is consistent with known attack patterns based on Microsoft's internal and external threat intelligence sources."
RISK LEVELS
"Identity Protection categorizes risk into three tiers: low, medium, and high."
"While Microsoft doesn't provide specific details about how risk is calculated, we'll say that each level brings higher confidence that the user or sign-in is compromised."
Well, there's a nice how-do-you-do ... Trust us, we know. That's basically what they're saying. I have some mixed feelings about this. Just because someone works at Microsoft, doesn't mean they're the top person to evaluate this. I dealt with this when I worked for a military contractor. Just because someone lived in Colorado and was hired by Headquarters did not mean that they had knowledge/experience that was equal to or better than someone in a unit location. The hierarchy of the military unit did not mirror the hierarchy of the surrounding civilian population. However, Microsoft being a "provider" and therefore seeing the threat landscape across a very large number of tenants does give it the added advantage of seeing something in one location and alerting all the others. Again, this is just data. You have to do the "due diligence" of taking that data and turning it into information.
