Blog

Suspicious Sign-in Activity

Azure AD Reporting: Suspicious Sign-in Activity

Having complete visibility and control over who is accessing your data in the cloud is a critical part of IT security compliance. Doing this manually creates a lot of overhead for IT administrators, so most companies utilize a management tool that gives them the right level of control over data privacy and security compliance. By using automated tools, IT departments can easily manage user access and maintain a keen eye on any suspicious activities that might be a security issue.

That’s why we introduced some new capabilities in CoreView that help you monitor your Azure AD activity to manage risk and stay ahead of threats.

Sign-ins after multiple failures

This report indicates users who have successfully signed in after multiple, consecutive failed sign-in attempts.

There may be different causes of course, including:

    • User had forgotten their password
    • User is the victim of a successful password guessing brute force attack

This report will show you the number of consecutive failed sign-in attempts made prior to the successful sign-in, along with a timestamp associated with the first successful sign-in. Moreover, by clicking on the ‘Columns’ drop-down menu, you can add or remove information from the audit report. Additional columns available provide information regarding Id and Company Id. The columns can be filtered, and you can also export, save, print, or schedule this report to run at a specific time along with the applied changes and filters.

Additionally, using V-tenants, or RBAC groupings in CoreView, an administrator can specify a set group of users assigned to a regional or business-centric admin so that they can ONLY view user activity reports associated to those corresponding users. The report can also be added to the ‘Favorite Report’ area by clicking on the star icon close the report name. This trick enables administrators to quickly access the most important auditing reports under the first ‘Analyze’ tab when they log into the portal.

sign ins multiple failure

Sign ins from IP addresses with suspicious activity

This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity in this case is defined to be an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.

And like the last report, this one is also controlled by RBAC grouping assignments for specific administrators so they can be restricted to view ONLY the users they’re most interested in managing.

sign ins ip address

Sign-ins from multiple geographies

This report includes successful sign-ins from a user where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the timing between the sign-ins to provide more details to the administrator so they can deduce whether it was possible for the user to have traveled between those regions.

There may be different causes for these occurrences:

    • User is sharing their password with other users
    • User is using a remote desktop to launch a web browser for sign-in
    • A hacker has signed in to the account of a user from a different country
    • User is using a VPN or proxy
    • User is signed in from multiple devices at the same time, such as a desktop and a mobile phone, and the IP address of the mobile phone is unusual.

This report will show you the successful sign-in events, together with the time between the sign-ins, the regions where the sign-ins appeared to originate from, and the estimated travel time between those regions. The travel time shown is only an estimate and may be different from the actual travel time between the locations.

sign ins multiple geographies

Sign ins from Infected Devices

This report attempts to identify user devices that may have become infected and are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that we know to be in contact with botnet servers.

Recommendation: This report flags IP addresses, not user devices. We recommend that you contact the user and scan all the user’s devices to be certain. It is also possible that a user’s personal device is infected, or that someone other than the user, who was using the same IP address as the user, has an infected device. For more information about how to address malware infections, see the  Malware Protection Center.

sign ins infected devices

Irregular Sign ins

Irregular sign-ins are those that have been identified on the basis of an “impossible travel” condition combined with an anomalous sign-in location and device. This may indicate that a hacker has successfully signed in using this account.

Moreover, by clicking ‘Columns’, you can add or remove information from this audit report.

irregular signins

In the top right corner of the table you can also adjust the time interval for the data items shown in the report. By using the drop-down picklist: yesterday, 7, 14, 30, 60 or 90 days, or custom range, it is possible to filter the information quickly.

coloumn data Azure report

Curious to view this report now? If you are already a customer running CoreView you can discover this report under ‘Audit’ tab together with other Azure AD Reports. Otherwise, take advantage of our free 14-day trial to check out the most advanced Office 365 management suite on the market.

New articles are coming. Stay tuned!