Entra ID (Azure AD) Risk Events
Location
Azure Portal > Entra ID > Security > Risk detections (or Microsoft Graph API /identityProtection/riskDetections)Description
Machine-learning-generated risk detections including anonymous IP usage, impossible travel, malware-linked IPs, password spray detection, leaked credential matches, token anomalies, and suspicious inbox manipulation rules.
Forensic Value
Risk events provide Microsoft threat intelligence context that is not available in raw sign-in logs. A "leaked credentials" detection confirms the user password was found in a breach database. "Anomalous token" detections flag token theft and replay scenarios. Correlating risk event timestamps with sign-in log entries creates a high-confidence timeline of exactly when the identity was compromised and from which infrastructure.
Tools Required
Collection Commands
Graph API
GET https://graph.microsoft.com/v1.0/identityProtection/riskDetections?$filter=detectedDateTime ge 2024-01-01T00:00:00Z&$top=999
Graph API
GET https://graph.microsoft.com/v1.0/identityProtection/riskyUsers?$filter=riskLevel eq 'high'&$top=999
KQL
AADUserRiskEvents | where TimeGenerated > ago(30d) | where RiskLevel == "high" | project TimeGenerated, UserPrincipalName, RiskDetail, RiskEventType, IpAddress, Location
MITRE ATT&CK Techniques
Used in Procedures
Related Blockers
SaaS Audit Logging Not Enabled or Not Licensed
The investigation depends on SaaS audit evidence that was never enabled, is unavailable under the current subscription tier, or requires a higher-privilege admin role than the response team currently has. This creates blind spots for identity abuse, collaboration-platform misuse, and source-code access.
SaaS Audit Retention Expired Before Collection
The response started after the native retention window for Google Workspace, Okta, Slack, GitHub, or similar SaaS evidence had already passed. The necessary events are no longer available in the vendor UI or API even though the underlying accounts and content may still exist.