-
Notifications
You must be signed in to change notification settings - Fork 21.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
There is nothing here that connects risk events with the risk level #63555
Comments
@D-Moonesinghe |
@D-Moonesinghe When it comes to figuring out risk levels/events, Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. |
Yes. I saw the document you are pointing to before I opened this issue. I
was sure at some point before I ran into the same chart below when I was
combing through MS docs at least a year back.
Sorry for being skeptical, but I don't buy that answer. Here is why?
There is no way that Microsoft doesn't have a chart like this. Without
having something like this how does Microsoft expect admins to figure out
what is event is Risk Level High, Medium or Low to set as conditions?
There are one or two questions on the AZ-500 exam. We are expected to
know this. And you are telling me there is no such thing? I am sure
this Author didn't create this out of thin air? If you want some help
digging this, let me know or you can contact the author yourself.
[image: image.png]
…On Wed, Sep 30, 2020 at 3:55 PM James Tran-MSFT ***@***.***> wrote:
@D-Moonesinghe <https://github.com/D-Moonesinghe>
Here's a list of different Risk types and detection
<https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-types-and-detection>
When it comes to figuring out risk levels/events, Microsoft does not
provide specific details about how risk is calculated, we will say that
each level brings higher confidence that the user or sign-in is compromised.
FAQ - Risk levels
<https://docs.microsoft.com/en-us/azure/active-directory/identity-protection/concept-identity-protection-risks#risk-levels>
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#63555 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOOSSNVMIG6GDGWARTIB3C3SIOEMBANCNFSM4R7L6OKQ>
.
--
Deepal Moonesinghe
(408) 568 1669
deepal.moonesinghe@gmail.com
|
@D-Moonesinghe |
@D-Moonesinghe I reached out to my team and we weren't able to find the table as seen here. However, we did see something similar under the portal within Identity Protection/Risk detections: I'll assign this issue to the author to investigate and update as needed. Thank you again for pointing this out and for your time! |
@D-Moonesinghe The calculations have changed since that blog post was written. As I mention in the article we don't disclose the exact calculation methods. The higher the risk the more confident we are in the signal providing the risk information. This statement went back and forth through the product group multiple times before we published. If you would like to open product feedback for them to add more clarity please open a product feedback item at the bottom of the document. |
#please-close |
John Flores,
You really didn't read the original case. Because if you did you will
realize I am not asking that Microsoft disclose the exact method on how
risk is calculated. I am simply pointing to a large information blackwhole
in your article that people who are implementing have to know, yet not
addressed by the article.
If you simply took the time to follow the original link I put, you would
have seen the technical dilemma anyone trying to implement would run
into. Your article doesn't properly address a detail required to implement this. I
urge you and your team to take 5 minutes to read the article at
https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/
The link takes you step by step through setting up risk based conditional
policy. Anyone with elementary knowledge can see the issue.
Let me simplify this to you. Look at this screen below:
![Conditional Access Policy](https://user-images.githubusercontent.com/60631350/94862384-e5ffe600-0406-11eb-81ca-ef778f8d23c8.png)
[image: image.png]
Tell me how would you fill the above screen (or any current updated
screen)that correspond to this, without a chart like what shown below?
![Risk Event Risk Level Chart](https://user-images.githubusercontent.com/60631350/94862580-3414e980-0407-11eb-8608-14317d2a908a.png)
What I am saying is you don't have a chart like this in your article or
even a link to a chart like this. Which is essential.
Please don't conflate this question with requiring Microsoft to divulge how
they calculate risks. They are two different things.
Now if this is beyond your comprehension please pass it on to someone with
more knowledge who can grasp this or diligent enough to research this. Or
else if you are too lazy to do either please let it stay closed.
…On Thu, Oct 1, 2020 at 1:31 PM John Flores ***@***.***> wrote:
@D-Moonesinghe <https://github.com/D-Moonesinghe> The calculations have
changed since that blog post was written.
As I mention in the article we don't disclose the exact calculation
methods. The higher the risk the more confident we are in the signal
providing the risk information.
This statement went back and forth through the product group multiple
times before we published. If you would like to open product feedback for
them to add more clarity please open a product feedback item at the bottom
of the document.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#63555 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOOSSNT6XIUDKOVEEGKP5XTSIS4IPANCNFSM4R7L6OKQ>
.
--
|
@D-Moonesinghe I did read the article you mentioned. As I said the way we make calculations has changed. We don't have a list of each detection and what level that detection sits at because they are all high, medium, and low depending on the confidence in the signal its accuracy. If I had a chart it would be all the risks on one side and they would all say high, medium, and low on the other. Just because you trigger one detection doesn't always mean it is mapped directly to high, medium, or low. As you review and investigate risks in your organization the reports do provide you risk levels for each user and all triggered detections. If you would like to have a further technical conversation I am happy to do so and my email address is published in my profile. Otherwise I will consider this issue closed and resolved as is. |
Ok Thanks John.
You might want to pass this whole conversation to Microsoft Training. It
is still a test question in their pool for Az-500 Azure Security exam.
…On Fri, Oct 2, 2020 at 7:00 PM John Flores ***@***.***> wrote:
@D-Moonesinghe <https://github.com/D-Moonesinghe> I did read the article
you mentioned. As I said the way we make calculations has changed.
We don't have a list of each detection and what level that detection sits
at because they are all high, medium, and low depending on the confidence
in the signal its accuracy.
If I had a chart it would be all the risks on one side and they would all
say high, medium, and low on the other. Just because you trigger one
detection doesn't always mean it is mapped directly to high, medium, or low.
As you [review and investigate risks in your organization}(
https://docs.microsoft.com/azure/active-directory/identity-protection/howto-identity-protection-investigate-risk)
the reports do provide you risk levels for each user and all triggered
detections.
If you would like to have a further technical conversation I am happy to
do so and my email address is published in my profile. Otherwise I will
consider this issue closed and resolved as is.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#63555 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOOSSNWJSQBOVG4R5ZW4H2TSIZLQXANCNFSM4R7L6OKQ>
.
--
Deepal Moonesinghe
(408) 568 1669
deepal.moonesinghe@gmail.com
|
Static-based risk calculation in the world of security is no longer valid. You couldn't just say the risk level of login from unfamiliar location is lower than leaked credential to be honest even we know credential leakage sounds very dangerous. Well just imagine an administrator (global admin) is found logged in from an unfamiliar location versus a normal user (with less privilege/read-only permission) is compromised? I don't think we could just still base on the risk level that was defined in the past. That is why Microsoft removed the table of Risk level and stated as follows (ref) While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user. Az-500 exam still has a question related to risk level. This should be removed out of question bank IMO. Updated: if you still see such a question and would like to learn by heard from Microsoft check the image below |
Thank you very much for that information. That is enlightening.
…On Mon, May 10, 2021 at 8:34 PM AzSec ***@***.***> wrote:
Static-based risk calculation in the world of security is no longer valid.
You couldn't just say the risk level of *login from unfamiliar location*
is lower than *leaked credential* to be honest even we know credential
leakage sounds very dangerous. Well just imagine an administrator (global
admin) is found logged in from an unfamiliar location versus a normal user
(with less privilege/read-only permission) is compromised? I don't think we
could just still base on the risk level that was defined in the past.
That is why Microsoft removed the table of Risk level and stated as
follows:
While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#63555 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/AOOSSNXLOAYHZLCKW6GVPJTTNB3SFANCNFSM4R7L6OKQ>
.
--
Deepal Moonesinghe
(408) 568 1669
***@***.***
|
Here is one suggestion MS Docs team wants to consider.
When you change knowledge documents like that; instead of making old
knowledge completely disappear off the docs site, what if you left the old
knowledge there with a big red warning saying this knowledge is no longer
the current expert opinion.
It would be helpful to us (users of your docs site) to know this was the
old thinking and what it maps to as current understanding.
Remember your info is taken by others; bloggers, trainers, consultants and
disseminated to a wider audience than who reads the docs. We need to have
a way to be able track what is expired knowledge and what is current
knowledge.
If you simply delete the web pages with the expired knowledge it just leads
to more unnecessary confusion and wasted time chasing knowledge that has
disappeared into a black hole.
Hopefully my suggestion is considered for what is worth.
On Tue, May 11, 2021 at 9:53 PM Deepal Moonesinghe <
***@***.***> wrote:
… Thank you very much for that information. That is enlightening.
On Mon, May 10, 2021 at 8:34 PM AzSec ***@***.***> wrote:
> Static-based risk calculation in the world of security is no longer
> valid. You couldn't just say the risk level of *login from unfamiliar
> location* is lower than *leaked credential* to be honest even we know
> credential leakage sounds very dangerous. Well just imagine an
> administrator (global admin) is found logged in from an unfamiliar location
> versus a normal user (with less privilege/read-only permission) is
> compromised? I don't think we could just still base on the risk level that
> was defined in the past.
>
> That is why Microsoft removed the table of Risk level and stated as
> follows:
>
> While Microsoft does not provide specific details about how risk is calculated, we will say that each level brings higher confidence that the user or sign-in is compromised. For example, something like one instance of unfamiliar sign-in properties for a user might not be as threatening as leaked credentials for another user.
>
> —
> You are receiving this because you were mentioned.
> Reply to this email directly, view it on GitHub
> <#63555 (comment)>,
> or unsubscribe
> <https://github.com/notifications/unsubscribe-auth/AOOSSNXLOAYHZLCKW6GVPJTTNB3SFANCNFSM4R7L6OKQ>
> .
>
--
Deepal Moonesinghe
(408) 568 1669
***@***.***
--
Deepal Moonesinghe
(408) 568 1669
***@***.***
|
How do we figure out the risk event and the risk level. I couldn't find a link in this document to any list like that.
Only thing I found is in this blog post here: https://www.rebeladmin.com/2018/09/step-step-guide-configure-risk-based-azure-conditional-access-policies/. But how can I trust that?
[Enter feedback here]
Document Details
⚠ Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
The text was updated successfully, but these errors were encountered: