KURAL.ai
Sarah Chen · MGA · UKGC · CA-ON-AGCO · BR-SPA
← Controls library

High-risk sign-in events must be remediated within 24h

IDENTITY.ENTRA.SIGNIN.RISK · GLOBAL · operational_security
Severity
high
Cadence
hourly
Region
global
Current status (Apollo Gaming Ltd.)
not evaluated

Requirement

Entra Identity Protection flags risky sign-ins (impossible travel, leaked credentials, unfamiliar properties). Risky users surfaced as riskLevel=high or medium must be remediated (password reset + MFA challenge) within 24 hours of detection.

Source: Microsoft Identity Protection — Sign-in risk policy

Remediation guidance

For any riskState=atRisk older than 24h: trigger the user-risk remediation flow (force password change + MFA re-registration), then confirm riskState moves to remediated. Document the action in the operator's incident log.

Evidence specification

Evidence typeConnectorSpecAcceptance criteria
infra_configidp-entra
{
  "query": "signin_risk_events",
  "required_fields": [
    "id",
    "userPrincipalName",
    "riskLevel",
    "riskState",
    "riskLastUpdatedDateTime"
  ]
}
  • every riskLevel in [high, medium] has riskState in [remediated, dismissed] within 24h of riskLastUpdatedDateTime

Recent evaluations (Apollo Gaming Ltd.)

No evaluation history for this control yet.