Product Documentation

Microsoft Security Graph risk indicators

Microsoft Security Graph receives data from the Azure AD Identity Protection or Windows Defender Advanced Threat Protection security providers, and sends the information to Citrix Analytics.

Azure AD Identity Protection triggers the following risk indicators and sends the information to Microsoft Security Graph:

  • Sign-ins from anonymous IP addresses

  • Impossible travel to atypical locations

  • Users with leaked credentials

  • Sign-ins from infected devices

  • Sign-ins from IP addresses with suspicious activity

  • Sign-ins from unfamiliar locations

For information about Windows Defender ATP, see Windows Defender Advanced Thread Protection.

How to analyze Microsoft Security Graph risk indicators

Consider a user Maria Brown who exhibits one of the above risky behaviors. Microsoft detects the incident and generates an alert. Citrix Analytics retrieves this alert and assigns an updated risk score to Maria Brown. You receive a notification in the Alerts panel. Also, the appropriate risk indicator is added to Maria Brown’s risk timeline.

To view the Microsoft Security Graph risk indicator entry for a user, navigate to Security > Users, and select the user.

From Maria’s timeline, you can select the latest risk indicator entry from the risk timeline. Its corresponding detailed information panel appears in the right pane. The WHAT HAPPENED section provides a brief summary of the risk indicator.

How to get more information about the risk indicators

For more information, see Azure Active Directory risk events.

What actions you can apply to the user

Currently, the ability to take appropriate actions on the user’s account through the Microsoft Security Graph data source is not available.