Suspicious country sign in on Tier0 account [RULE-1165]
This rule detects if a Tier0 accounts logs in from a suspicious country.
Rationale
Tier0 accounts possess unrestricted access to your most critical systems and can perform any administrative action across your Entra ID, Microsoft 365, and potentially on-premises infrastructure. Compromise of a Tier0 account represents a complete tenant takeover scenario.
Suspicious countries in this context may include:
-
High-risk geographic regions- Areas with elevated threat actor activity targeting your industry
Fix
An automated fix is available through Attic to mitigate the threat.
If the detected login is not legitimate, we recommend taking the following actions:
- Disable the account immediately
- Revoke all active sessions
- Reset the password
Impact
After executing the fix, the targetted account is disabled and logs out all current sessions.