You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
event.dataset:azure.signinlogs and
(azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high) and
event.outcome:(success or Success)
Change to:
event.dataset:azure.signinlogs and
(azure.signinlogs.properties.risk_level_during_signin:high or azure.signinlogs.properties.risk_level_aggregated:high)
The text was updated successfully, but these errors were encountered:
"Azure Active Directory High Risk Sign-in"
We noticed it's important to also alert on failed outcomes. Customers who don't want failed outcomes can exclude with an exception.
Link to rule
https://www.elastic.co/guide/en/security/current/azure-active-directory-high-risk-sign-in.html
Description
Current query:
Change to:
The text was updated successfully, but these errors were encountered: