Skip to main content

Azure Risky Users

This Integration is part of the Azure Risky Users Pack.#

Supported versions

Supported Cortex XSOAR versions: 6.0.0 and later.

Azure Risky Users provides access to all at-risk users and risk detections in Azure AD environment. This integration was integrated and tested with version 1.0 of Microsoft Graph Azure Risky Users.

Self-Deployed Application#

To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal.

The application must have the following permissions:

  • IdentityRiskEvent.Read.All
  • IdentityRiskEvent.ReadWrite.All
  • IdentityRiskyUser.Read.All
  • IdentityRiskyUser.ReadWrite.All
  • User.Read

In case you want to use Device code flow, you must allow public client flows (can be found under the Authentication section of the app).

Authentication Using the Client Credentials Flow (recommended)#

Follow these steps for a self-deployed configuration:

  1. To use a self-configured Azure application, you need to add a new Azure App Registration in the Azure Portal. To add the registration, refer to the following Microsoft article steps 1-8.
  2. Select the client-credentials Authentication Type.
  3. Enter your Client/Application ID in the Application ID parameter.
  4. Enter your Client Secret in the Client Secret parameter.
  5. Enter your Tenant ID in the Tenant ID parameter.
  6. Save the instance.
  7. Run the !azure-risky-users-auth-test command - a 'Success' message should be printed to the War Room.

Authentication Using the Device Code Flow#

Follow these steps for a self-deployed configuration:

  1. Fill in the required parameters.
  2. Run the !azure-risky-users-auth-start command.
  3. Follow the instructions that appear.
  4. Run the !azure-risky-users-auth-complete command.

At end of the process you'll see a message that you've logged in successfully.

Cortex XSOAR Application#

In order to use the Cortex XSOAR Azure application, use the Client ID - (application_id) (ec854987-95fa-4c8f-8056-768dd0f409ac).

Authentication Using the Device Code Flow -#

In order to connect to the Azure Risky Users using the Cortex XSOAR Azure App with Device Code flow authentication. See device authorization grant flow.

  1. Fill in the required parameters - use the above mentioned Client ID - (application_id).
  2. Run the !azure-risky-users-auth-start command.
  3. Follow the instructions that appear.
  4. Run the !azure-risky-users-auth-complete command.

At end of the process you'll see a message that you've logged in successfully.

Configure AzureRiskyUsers on Cortex XSOAR#

  1. Navigate to Settings > Integrations > Servers & Services.

  2. Search for AzureRiskyUsers.

  3. Click Add instance to create and configure a new integration instance.

    ParameterRequired
    Client IDTrue
    Authentication TypeTrue
    Tenant ID (for Client Credentials mode)False
    Client Secret (for Client Credentials mode)False
    Azure Managed Identities Client IDFalse
    Use system proxyFalse
    Trust any certificateFalse
  4. Click Test to validate the URLs, token, and connection.

Commands#

You can execute these commands from the Cortex XSOAR CLI, as part of an automation, or in a playbook. After you successfully execute a command, a DBot message appears in the War Room with the command details.

azure-risky-users-auth-test#


Tests the connectivity to Azure.

Base Command#

azure-risky-users-auth-test

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-test

Human Readable Output#

Success!

azure-risky-users-auth-start#


Run this command to start the authorization process and follow the instructions in the command results.

Base Command#

azure-risky-users-auth-start

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-start

Human Readable Output#

Authorization instructions#

  1. To sign in, use a web browser to open the page https://microsoft.com/devicelogin and enter the code XXXXX to authenticate.
  2. Run the !azure-risky-users-auth-complete command in the War Room.

azure-risky-users-auth-complete#


Run this command to complete the authorization process. Should be used after running the azure-risky-users-auth-start command.

Base Command#

azure-risky-users-auth-complete

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-complete

Human Readable Output#

Authorization completed successfully.

azure-risky-users-auth-reset#


Run this command if for some reason you need to rerun the authentication process.

Base Command#

azure-risky-users-auth-reset

Input#

There are no input arguments for this command.

Context Output#

There is no context output for this command.

Command Example#

!azure-risky-users-auth-reset

Human Readable Output#

Authorization was reset successfully. Run !azure-risky-users-auth-start to start the authentication process.

azure-risky-users-list#


Returns a list of all risky users and their properties.

Base Command#

azure-risky-users-list

Input#

Argument NameDescriptionRequired
risk_stateSets the Risk State to retrieve. Possible values are: atRisk, confirmedCompromised, remediated, dismissed.Optional
limitLimit of results to retrieve. Default is 50.Optional
pagePage number.Optional
page_sizeAmount of results per request. Value can be between 1 and 500. When only page_size is given, the first page results will be fetched.Optional
next_tokenThe URL for the next set of items to return during pagination. (This URL can be retrieved from a previous call).Optional
risk_levelSets the Risk Level to retrieve. Possible values are: low, medium, high.Optional
order_byThe method used to order the retrieved results. Possible values are: riskLastUpdatedDateTime desc, riskLastUpdatedDateTime asc. Default is riskLastUpdatedDateTime desc.Optional
updated_beforeDisplays all RiskyUsers before a specific datetime. For Example "2024-02-27T04:49:26.257525Z", "10 days", "5 months", "2 hours".Optional
updated_afterDisplays all RiskyUsers after a specific datetime. For Example "2024-02-27T04:49:26.257525Z", "10 days", "5 months", "2 hours".Optional

Context Output#

PathTypeDescription
AzureRiskyUsers.RiskyUser.idStringUnique ID of the user at risk.
AzureRiskyUsers.RiskyUser.userDisplayNameStringRisky user display name.
AzureRiskyUsers.RiskyUser.userPrincipalNameStringRisky user principal name.
AzureRiskyUsers.RiskyUser.riskLevelStringLevel of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskyUser.riskStateStringState of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised.
AzureRiskyUsers.RiskyUser.riskLastUpdatedDateTimeDateThe date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: 2014-01-01T00:00:00Z.
AzureRiskyUsers.RiskyUser.isDeletedBooleanIndicates whether the user is deleted.
AzureRiskyUsers.RiskyUser.isProcessingBooleanIndicates whether a user's risky state is being processed by the backend.
AzureRiskyUsers.RiskyUser.riskDetailStringDetails of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
AzureRiskyUsers.RiskyUserListNextTokenStringA property in the response that contains a URL to the next page of results.

Command example#

!azure-risky-users-list page_size=2

Context Example#

{
"AzureRiskyUsers": {
"RiskyUser": [
{
"id": "ID_1",
"isDeleted": false,
"isProcessing": false,
"riskDetail": "none",
"riskLastUpdatedDateTime": "2023-06-04T10:12:39.3625926Z",
"riskLevel": "medium",
"riskState": "atRisk",
"userDisplayName": "user Display Name",
"userPrincipalName": "User Principal Name"
},
{
"id": "ID_2",
"isDeleted": false,
"isProcessing": false,
"riskDetail": "none",
"riskLastUpdatedDateTime": "2022-02-23T17:50:40.3408199Z",
"riskLevel": "high",
"riskState": "atRisk",
"userDisplayName": "user Display Name",
"userPrincipalName": "User Principal Name"
},
],
"RiskyUserListNextToken": "token",
}
}

Human Readable Output#

Risky Users List:#

IdUser Display NameUser Principal NameRisk LevelRisk StateRisk DetailRisk Last Updated Date Time
ID_1user Display NameUser Principal NamemediumatRisknone2023-06-04T10:12:39.3625926Z
ID_2user Display NameUser Principal NamehighatRisknone2022-02-23T17:50:40.3408199Z

Risky Users List Token:#

next_token
token

azure-risky-user-get#


Retrieve properties and relationships of a Risky User.

Base Command#

azure-risky-user-get

Input#

Argument NameDescriptionRequired
idRisky user ID to retrieve.Required

Context Output#

PathTypeDescription
AzureRiskyUsers.RiskyUser.idStringUnique ID of the user at risk.
AzureRiskyUsers.RiskyUser.userDisplayNameStringRisky user display name.
AzureRiskyUsers.RiskyUser.userPrincipalNameStringRisky user principal name.
AzureRiskyUsers.RiskyUser.riskLevelStringLevel of the detected risky user. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskyUser.riskStateStringState of the user's risk. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised.
AzureRiskyUsers.RiskyUser.riskLastUpdatedDateTimeDateThe date and time that the risky user was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 would look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskyUser.isDeletedBooleanIndicates whether the user is deleted.
AzureRiskyUsers.RiskyUser.isProcessingBooleanIndicates whether a user's risky state is being processed by the backend.
AzureRiskyUsers.RiskyUser.riskDetailStringDetails of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.

Command Example#

!azure-risky-user-get id=333

Context Example#

{
"AzureRiskyUsers": {
"RiskyUser": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskyUsers/$entity",
"id": "333",
"isDeleted": false,
"isProcessing": false,
"riskDetail": "userPerformedSecuredPasswordReset",
"riskLastUpdatedDateTime": "2020-10-05T12:12:17.2115592Z",
"riskLevel": "none",
"riskState": "remediated",
"userDisplayName": "Yossi Israeli",
"userPrincipalName": "yossi@test.com"
}
}
}

Human Readable Output#

Found Risky User With ID: 333#

IdUser Display NameUser Principal NameRisk LevelRisk StateRisk DetailRisk Last Updated Date Time
333Yossi Israeliyossi@test.comnoneremediateduserPerformedSecuredPasswordReset2020-10-05T12:12:17.2115592Z

azure-risky-users-risk-detections-list#


Get a list of the riskDetection objects and their properties.

Base Command#

azure-risky-users-risk-detections-list

Input#

Argument NameDescriptionRequired
limitLimit of results to retrieve. Default is 50.Optional
pagePage number. Default is 1.Optional
risk_stateRisk State to retrieve. If not specified, all states will be retrieved. Possible values are: atRisk, confirmedCompromised, remediated, dismissed, confirmedSafe.Optional
risk_levelSpecify to get only results with the same Risk Level. Possible values are: low, medium, high.Optional
detected_date_time_beforeFilter events that created before specific time range starting, e.g. 2022-06-09T23:00:44.7420905Z.Optional
detected_date_time_afterFilter events that created after specific time range starting, e.g. 2022-06-09T23:00:44.7420905Z.Optional
order_byThe method used to order the retrieved results.Optional

Context Output#

PathTypeDescription
AzureRiskyUsers.RiskDetection.idStringUnique ID of the risk detection. Inherited from entity.
AzureRiskyUsers.RiskDetection.userIdStringUnique ID of the user.
AzureRiskyUsers.RiskDetection.userDisplayNameStringThe user display name of the user.
AzureRiskyUsers.RiskDetection.userPrincipalNameStringThe user principal name (UPN) of the user.
AzureRiskyUsers.RiskDetection.riskDetailStringDetails of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskEventTypeStringThe type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue. If the risk detection is a premium detection, will show generic
AzureRiskyUsers.RiskDetection.riskLevelStringLevel of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskStateStringThe state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.ipAddressStringProvides the IP address of the client from where the risk occurred.
AzureRiskyUsers.RiskDetection.sourceStringSource of the risk detection. For example, activeDirectory.
AzureRiskyUsers.RiskDetection.detectionTimingTypeStringTiming of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue.
AzureRiskyUsers.RiskDetection.lastUpdatedDateTimeDateDate and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.locationStringLocation of the sign-in.
AzureRiskyUsers.RiskDetection.activityStringIndicates the activity type the detected risk is linked to. . Possible values are: signin, user, unknownFutureValue.
AzureRiskyUsers.RiskDetection.activityDateTimeDateDate and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.additionalInfoStringAdditional information associated with the risk detection in JSON format.
AzureRiskyUsers.RiskDetection.correlationIdStringCorrelation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.detectedDateTimeDateDate and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.requestIdStringRequest ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.tokenIssuerTypeStringIndicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue.

Command Example#

!azure-risky-users-risk-detections-list limit=2

Context Example#

{
"AzureRiskyUsers": {
"RiskDetection": [
{
"activity": "signin",
"activityDateTime": "2021-06-20T03:51:32.9572792Z",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Dalvik/2.1.0 (Linux; U; Android 9; VKY-L29 Build/HUAWEIVKY-L29) ;VKY-L29\"}]",
"correlationId": "aaaa1111",
"detectedDateTime": "2021-06-20T03:51:32.9572792Z",
"detectionTimingType": "realtime",
"id": "555",
"ipAddress": "1.1.1.1",
"lastUpdatedDateTime": "2021-06-20T03:53:58.853418Z",
"location": {
"city": "Pisgat Ze'ev",
"countryOrRegion": "IL",
"geoCoordinates": {
"latitude": 31,
"longitude": 35
},
"state": "Yerushalayim"
},
"requestId": "bbbb1111",
"riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
"riskEventType": "unfamiliarFeatures",
"riskLevel": "low",
"riskState": "remediated",
"source": "IdentityProtection",
"tokenIssuerType": "AzureAD",
"userDisplayName": "Shalev Israeli",
"userId": "777",
"userPrincipalName": "ShalevI@test.com"
},
{
"activity": "signin",
"activityDateTime": "2021-06-27T19:16:19.9976898Z",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Dalvik/2.1.0 (Linux; U; Android 9; SM-G950F Build/PPR1.180610.011) ;SM-G950F\"}]",
"correlationId": "aaaa2222",
"detectedDateTime": "2021-06-27T19:16:19.9976898Z",
"detectionTimingType": "realtime",
"id": "888",
"ipAddress": "1.1.1.1",
"lastUpdatedDateTime": "2021-06-27T19:19:44.4975416Z",
"location": {
"city": "Dniprodzerzhyns'k",
"countryOrRegion": "UA",
"geoCoordinates": {
"latitude": 48,
"longitude": 34
},
"state": "Dnipropetrovs'ka Oblast'"
},
"requestId": "bbbb2222",
"riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
"riskEventType": "unfamiliarFeatures",
"riskLevel": "low",
"riskState": "remediated",
"source": "IdentityProtection",
"tokenIssuerType": "AzureAD",
"userDisplayName": "Svetlana Israeli",
"userId": "999",
"userPrincipalName": "SvetlanaI@test.com"
}
]
}
}

Human Readable Output#

Risk Detections List#

Current page size: 2 Showing page 1 out others that may exist |Id|User Id|User Display Name|User Principal Name|Risk Detail|Risk Event Type|Risk Level|Risk State|Risk Detail|Last Updated Date Time|Ip Address| |---|---|---|---|---|---|---|---|---|---|---| | 555 | 777 | Shalev Israeli | ShalevI@test.com | userPassedMFADrivenByRiskBasedPolicy | unfamiliarFeatures | low | remediated | userPassedMFADrivenByRiskBasedPolicy | 2021-06-20T03:53:58.853418Z | 1.1.1.1 | | 888 | 999 | Svetlana Israeli | SvetlanaI@test.com | userPassedMFADrivenByRiskBasedPolicy | unfamiliarFeatures | low | remediated | userPassedMFADrivenByRiskBasedPolicy | 2021-06-27T19:19:44.4975416Z | 1.1.1.1 |

azure-risky-users-risk-detection-get#


Read the properties and relationships of a riskDetection object.

Base Command#

azure-risky-users-risk-detection-get

Input#

Argument NameDescriptionRequired
idID of risk detection to retrieve.Required

Context Output#

PathTypeDescription
AzureRiskyUsers.RiskDetection.idStringUnique ID of the risk detection. Inherited from entity.
AzureRiskyUsers.RiskDetection.userIdStringUnique ID of the user.
AzureRiskyUsers.RiskDetection.userDisplayNameStringThe user display name of the user.
AzureRiskyUsers.RiskDetection.userPrincipalNameStringThe user principal name (UPN) of the user.
AzureRiskyUsers.RiskDetection.riskDetailStringDetails of the detected risk. Possible values are: none, adminGeneratedTemporaryPassword, userPerformedSecuredPasswordChange, userPerformedSecuredPasswordReset, adminConfirmedSigninSafe, aiConfirmedSigninSafe, userPassedMFADrivenByRiskBasedPolicy, adminDismissedAllRiskForUser, adminConfirmedSigninCompromised, hidden, adminConfirmedUserCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskEventTypeStringThe type of risk event detected. The possible values are unlikelyTravel, anonymizedIPAddress, maliciousIPAddress, unfamiliarFeatures, malwareInfectedIPAddress, suspiciousIPAddress, leakedCredentials, investigationsThreatIntelligence, generic,adminConfirmedUserCompromised, mcasImpossibleTravel, mcasSuspiciousInboxManipulationRules, investigationsThreatIntelligenceSigninLinked, maliciousIPAddressValidCredentialsBlockedIP, and unknownFutureValue. If the risk detection is a premium detection, will show generic
AzureRiskyUsers.RiskDetection.riskLevelStringLevel of the detected risk. Possible values are: low, medium, high, hidden, none, unknownFutureValue.
AzureRiskyUsers.RiskDetection.riskStateStringThe state of a detected risky user or sign-in. Possible values are: none, confirmedSafe, remediated, dismissed, atRisk, confirmedCompromised, unknownFutureValue.
AzureRiskyUsers.RiskDetection.ipAddressStringProvides the IP address of the client from where the risk occurred.
AzureRiskyUsers.RiskDetection.sourceStringSource of the risk detection. For example, activeDirectory.
AzureRiskyUsers.RiskDetection.detectionTimingTypeStringTiming of the detected risk (real-time/offline). Possible values are: notDefined, realtime, nearRealtime, offline, unknownFutureValue.
AzureRiskyUsers.RiskDetection.lastUpdatedDateTimeDateDate and time that the risk detection was last updated. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.locationStringLocation of the sign-in.
AzureRiskyUsers.RiskDetection.activityStringIndicates the activity type the detected risk is linked to. . Possible values are: signin, user, unknownFutureValue.
AzureRiskyUsers.RiskDetection.activityDateTimeDateDate and time that the risky activity occurred. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.additionalInfoStringAdditional information associated with the risk detection in JSON format.
AzureRiskyUsers.RiskDetection.correlationIdStringCorrelation ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.detectedDateTimeDateDate and time that the risk was detected. The DateTimeOffset type represents date and time information using ISO 8601 format and is always in UTC time. For example, midnight UTC on Jan 1, 2014 is look like this: 2014-01-01T00:00:00Z
AzureRiskyUsers.RiskDetection.requestIdStringRequest ID of the sign-in associated with the risk detection. This property is null if the risk detection is not associated with a sign-in.
AzureRiskyUsers.RiskDetection.tokenIssuerTypeStringIndicates the type of token issuer for the detected sign-in risk. Possible values are: AzureAD, ADFederationServices, UnknownFutureValue.

Command Example#

!azure-risky-users-risk-detection-get id=6565

Context Example#

{
"AzureRiskyUsers": {
"RiskDetection": {
"@odata.context": "https://graph.microsoft.com/v1.0/$metadata#identityProtection/riskDetections/$entity",
"activity": "signin",
"activityDateTime": "2021-07-03T13:35:38.8773806Z",
"additionalInfo": "[{\"Key\":\"userAgent\",\"Value\":\"Dalvik/2.1.0 (Linux; U; Android 9; SM-G950F Build/PPR1.180610.011) ;SM-G950F\"}]",
"correlationId": "aaaa3333",
"detectedDateTime": "2021-07-03T13:35:38.8773806Z",
"detectionTimingType": "realtime",
"id": "6565",
"ipAddress": "3.3.3.3",
"lastUpdatedDateTime": "2021-07-03T13:38:04.6531838Z",
"location": {
"city": "Lviv",
"countryOrRegion": "UA",
"geoCoordinates": {
"latitude": 49,
"longitude": 24
},
"state": "L'vivs'ka Oblast'"
},
"requestId": "bbbb33333",
"riskDetail": "userPassedMFADrivenByRiskBasedPolicy",
"riskEventType": "unfamiliarFeatures",
"riskLevel": "low",
"riskState": "remediated",
"source": "IdentityProtection",
"tokenIssuerType": "AzureAD",
"userDisplayName": "Svetlana Israeli",
"userId": "999",
"userPrincipalName": "SvetlanaI@test.com"
}
}
}

Human Readable Output#

Found Risk Detection with ID: 6565#

IdUser IdUser Display NameUser Principal NameRisk DetailRisk Event TypeRisk LevelRisk StateIp AddressDetection Timing TypeLast Updated Date TimeLocation
6565999Svetlana IsraeliSvetlanaI@test.comuserPassedMFADrivenByRiskBasedPolicyunfamiliarFeatureslowremediated3.3.3.3realtime2021-07-03T13:38:04.6531838Zcity: Lviv
state: L'vivs'ka Oblast'
countryOrRegion: UA
geoCoordinates: {"latitude": 49, "longitude": 24}