Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

False Positives from "Correlate Unfamiliar sign-in properties & atypical travel alerts" When Changing User Risk #11510

Closed
quantumburnz opened this issue Nov 29, 2024 · 6 comments · May be fixed by #11538
Assignees

Comments

@quantumburnz
Copy link

Describe the bug
When an admin marks a user safe, dismisses risk, etc. in Entra, a new record is created in the SecurityAlert table. The time between when an Entra Risk Alert is generated and when an Admin takes action on the Risk alert can lead to a (sometimes significant) time difference between the TimeGenerated and StartTime/EndTime fields. The "Correlate Unfamiliar sign-in properties & atypical travel alerts" logic triggers an alert if the TimeGenerated of the alerts is less than or equal to TimeDeltaInMinutes; however, the StartTime/EndTime fields, which is the time actually associated with the user event, can be very different.

To Reproduce
Steps to reproduce the behavior:

  1. Mark User Safe, Dismiss risk, etc. in Entra
  2. False Positive "Correlate Unfamiliar sign-in properties & atypical travel alerts" will be triggered

Expected behavior
Alert should only be triggered based upon user activity, not Admin actions in Entra.

Additional context
I think the best way to fix this is to exclude events where the Comments field starts with "Risk detail: Admin", sample KQL:

| extend Comments = tostring(ExtendedProperties_json.Comments)
| where Comments !startswith "Risk detail: Admin"

@v-visodadasi
Copy link
Contributor

Hi @quantumburnz , Thanks for flagging this issue, we will investigate this issue and get back to you with some updates. Thanks!

@v-visodadasi
Copy link
Contributor

Hi @quantumburnz , CorrelateIPC_Unfamiliar-Atypical.txt
I have made some adjustments based on your feedback. Could you please review the changes and let us know if everything meets your expectations?

@v-visodadasi
Copy link
Contributor

Hi @quantumburnz , Could you please review the changes and let us know ?

@quantumburnz
Copy link
Author

Hi @v-visodadasi , thanks for making this change. It looks like you implemented my suggestion, and I'm good with this if you think this change makes sense as well.

@v-visodadasi
Copy link
Contributor

Hi @quantumburnz , Thank you for your confirmation. We have raised a Draft PR with these changes and it will get reviewed by our PR review team. As your issue has been resolved we are closing this issue.
Thanks!

@v-visodadasi
Copy link
Contributor

Hey @quantumburnz , Could you please share logs for "Security Alert" and "IdentityInfo" tables to test.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
4 participants