Microsoft Security Graph risk indicators
Microsoft Security Graph receives data from the Azure AD Identity Protection or Windows Defender Advanced Threat Protection security providers, and sends the information to Citrix Analytics.
Azure AD Identity Protection triggers the following risk indicators and sends the information to Microsoft Security Graph:
Sign-ins from anonymous IP addresses
Impossible travel to atypical locations
Users with leaked credentials
Sign-ins from infected devices
Sign-ins from IP addresses with suspicious activity
Sign-ins from unfamiliar locations
For information about Windows Defender ATP, see Windows Defender Advanced Thread Protection.
How to analyze Microsoft Security Graph risk indicators
Consider a user Maria Brown who exhibits one of the above risky behaviors. Microsoft detects the incident and generates an alert. Citrix Analytics retrieves this alert and assigns an updated risk score to Maria Brown. You receive a notification in the Alerts panel. Also, the appropriate risk indicator is added to Maria Brown’s risk timeline.
To view the Microsoft Security Graph risk indicator entry for a user, navigate to Security > Users, and select the user.
From Maria’s timeline, you can select the latest risk indicator entry from the risk timeline. Its corresponding detailed information panel appears in the right pane. The WHAT HAPPENED section provides a brief summary of the risk indicator.
How to get more information about the risk indicators
For more information, see Azure Active Directory risk events.
What actions you can apply to the user
Currently, the ability to take appropriate actions on the user’s account through the Microsoft Security Graph data source is not available.