Full Report
Recently in the SOC, we were notified by a partner that they had a potential business email compromise, or BEC. We commonly catch these by identifying suspicious email forwarding rules, […] The post Monitoring High Risk Azure Logins appeared first on Black Hills Information Security, Inc..
Analysis Summary
# Best Practices: Detecting and Responding to Compromised Cloud Accounts via Entra ID Risk Analysis
## Overview
These practices focus on leveraging Microsoft Entra ID Protection (formerly Azure AD Identity Protection) to detect, investigate, and respond to compromised user accounts, particularly focusing on Business Email Compromise (BEC) scenarios identified through high-risk sign-ins, especially those involving Multi-Factor Authentication (MFA) challenges.
## Key Recommendations
### Immediate Actions
1. **Investigate 'atRisk' Sign-Ins Immediately:** Prioritize investigation for any user account flagged with the `atRisk` label in Entra ID, as this signifies a potential compromise.
2. **Triage High Risk Logins Requiring MFA:** Specifically investigate any High Risk sign-in events where Multi-Factor Authentication (MFA) approval was requested, as this highly suggests the user's password has been compromised.
3. **Analyze Key Log Attributes for Anomalies:** When investigating an `atRisk` login, immediately compare surrounding log entries focusing on the following attributes:
* IP Address
* Operating System
* ASN (Autonomous System Number)
* Country of Origin
4. **Establish Baselines for "Normal" Activity:** Quickly check the user's historical sign-in logs to establish a baseline for their typical operating system, device type, and geographic location to effectively identify true positives.
### Short-term Improvements (1-3 months)
1. **Deploy Targeted Sigma Rule:** Implement the provided Sigma rule to automate the detection of high-risk Azure sign-ins that required MFA approval, feeding these alerts directly into the SIEM/SOC workflow.
2. **Review and Tune False Positives:** Systematically review alerts generated by the new detection correlating with known false positives, such as users traveling or signing in from new mobile devices, and adjust the rule logic or alert suppression as necessary.
3. **Map Entra Risk Detections:** Review all available Entra Risk Detections (both Sign-in and User risk types, such as `impossibleTravel`, `leakedCredentials`, and `suspiciousInboxForwarding`) and ensure corresponding alerts are configured and feeding into the SIEM pipeline.
4. **Ensure License Adequacy:** Verify that organizational accounts utilizing these advanced detection capabilities are provisioned with the necessary **Azure AD P2 license** (or equivalent Entra ID P2), as lower tiers severely limit detection capabilities.
### Long-term Strategy (3+ months)
1. **Integrate Risk Data with Incident Response Playbooks:** Develop specific, documented incident response playbooks triggered by different severity levels of Entra ID risk detections (Low, Medium, High, Admin Confirmed Compromised).
2. **Automate Containment Actions:** Configure automated responses through Entra ID Identity Protection policies or SIEM SOAR integration to enforce remediation steps based on risk level (e.g., force password reset, disable account, block sessions).
3. **Monitor Offline Detection Latencies:** Establish SLA awareness regarding the time difference between compromise and detection (up to 48 hours for some offline detections) and adjust monitoring and communication processes accordingly.
## Implementation Guidance
### For Small Organizations
* **Focus on P2 Migration:** If budget allows, prioritize upgrading to Entra ID P2 licenses to immediately unlock critical real-time and advanced offline detection capabilities necessary for robust BEC defense.
* **Manual Triage Priority:** With limited resources, prioritize manual investigation efforts solely on alerts categorized as "High Risk" or those triggering the specific MFA-related Sigma rule.
### For Medium Organizations
* **Implement Automated Alert Triage:** Begin routing all 'atRisk' alerts generated by Entra ID into the existing SIEM/SOC platform for initial correlation and ticketing.
* **Standardize Investigation Workflow:** Formalize the investigation steps mentioned in the guidance (comparing OS, IP, Country) into a standardized written procedure for all SOC analysts handling Entra ID alerts.
### For Large Enterprises
* **Leverage SOAR for Remediation:** Implement Security Orchestration, Automation, and Response (SOAR) playbooks to automatically trigger immediate containment actions (e.g., revoke sessions, enforce MFA re-registration) upon confirmed high-risk events detected by Entra ID.
* **Cross-Platform Correlation:** Integrate Entra ID Risk Data with other security intelligence sources (e.g., EDR, network logs) within the SIEM to create contextualized alerts far beyond single-source analysis.
## Configuration Examples
The following Sigma rule definition is intended to be ingested by a SIEM or log analysis platform capable of processing Azure Sign-in Logs data to specifically target highly suspicious sign-ins.
yaml
title: High Risk Azure Login Requiring MFA
status: tested
description: This detection leverages Azure AD’s built-in service, Azure AD Identity protection, to detect anomalous high risk sign ins to cloud accounts requiring MFA approval. This is an indication that a user’s password has been compromised.
references:
author: David Perez
date: 2024/07/16
tags:
- attack.t1528
- attack.credential_access
logsource:
product: azure
service: signinlogs
detection:
selection:
risk_state: 'atRisk'
authentication_requirement: 'multiFactorAuthentication'
risk1:
risk_level_aggregated: 'High'
risk2:
risk_level_during_signin: 'High'
condition: selection and 1 of risk*
falsepositives:
- Users known to be on travel(most common).
- Users authenticating with new devices in their possession (i.e. mobile device).
## Compliance Alignment
* **NIST CSF:** Identify (ID.SC-17, ID.RA-3), Detect (DE.AE-4, DE.CM-7)
* **ISO 27001/27002:** A.8.2 (Information security incident management planning and preparation), A.9.2 (User Access Management)
* **CIS Controls v8:** Control 4 (Secure Configuration of Enterprise Assets and Software), Control 6 (Access Control)
## Common Pitfalls to Avoid
* **Assuming P1 License is Sufficient:** Failing to recognize that many of the most valuable, contextual detections (like anomalous token usage or impossible travel) require the features unlocked by Entra ID P2 licensing.
* **Ignoring Non-Sign-In Risks:** Over-focusing only on sign-in risk detections while missing crucial User Risk detections like `leakedCredentials` or `suspiciousSendingPatterns`.
* **Accepting High Risk without Investigation:** Treating an "atRisk" label as a final verdict rather than a high-priority starting point for forensic investigation comparing logs.
* **Not Scripting False Positive Tuning:** Allowing high volumes of repetitive travel-related alerts to fill the queue without investing time in conditional tuning, leading to analyst fatigue and potential missed real threats.
## Resources
* Reviewing Entra ID Risk Investigation Documentation: `[Microsoft Learn documentation link for investigation]`
* Understanding General Entra ID Protection Concepts: `[Microsoft Learn documentation link for concept overview]`
* Checking Entra ID Protection Licensing Requirements: `[Microsoft Learn documentation link for licensing]`