365 Risky Login Detection
Alert title: “Risky Login”
Description: Alerts if a user login event is marked as “Risky” by Microsoft.
Options:
- It is possible to ignore users
- It is possible to ignore login from specific IP addresses
The problem: This alert is triggered if a login is suspected as being “Risky” (potentially fraudulent, unwanted). It might be a compromised account.
Impact: If it is was not an authorised login, may be an indication of an account breach (intrusion).
Suggested steps: Engage a technician to confirm that the alert is accurate. If the account has been compromised, take mitigation steps.
CatchBefore it is too late!
365 MultiFactor Authentication Status
Alert title: “MultiFactor Authentication Status”
Description: Alerts if a user is detected as being enabled in the system, and not having multi-factor authentication administratively enforced (either by site-wide “SecurityDefaults” being enabled, or on a user-by-user administratively enforced basis, via a conditional access policy that has MFA mentioned). It will also alert if the user has not setup MFA yet.
Options:
- It is possible to ignore specific users
- It is possible to delay the alert triggering (for new users) by a number of days
- It is possible to delay the alert triggering (for new users that have never logged in) by a number of days
The problem: This alert is triggered if an enabled user is detected as not having MFA enabled, not having MFA setup (even if enabled), and will also alert if MFA is not enforced (even if enabled).
Impact: Any users that can login should have MFA enabled, setup, and enforced. If they do not then the account (and the data it can access, as well as configuration control) is at a higher risk of access by an un-authorised party.
Suggested steps: Engage a technician to confirm that the alert is accurate. Take steps to ensure that MFA is enabled, setup, and enforced.