Blue Team, David Perez, Incident Response, Informational Azure, Entra ID, SIEM, SOC
Recently in the SOC, we were notified by a partner that they had a potential business email compromise, or BEC. We commonly catch these by identifying suspicious email forwarding rules, utilizing anomaly detection services, or by reports from our partners, as we did in this scenario. As always, the earlier we can catch these events in the attack chain, the better. This led us to begin investigating high risk logins identified by Azure AD Identity Protection, or what is now known as Entra Identity Protection.
Entra ID protection categorizes risk levels as low, medium, or high. Entra ID also attaches the atRisk label if a potential threat actor has gained access to a user’s account. Determination of risk level is based on the confidence in the signals by Entra ID and utilizes Real-time and Offline detection techniques to assess these values. Organizations not utilizing an Azure AD P2 license will have limited detection capabilities using this service.
Investigating these events is straight-forward once you understand what information Entra ID is using to make these detections. The most useful attributes being IP address, operating system, ASN, and country of origin. Once an atRisk login has been identified, I start my investigation by querying the related user account and comparing the surrounding log’s login information to see what normal activity looks like for the user.
The detections most closely correlated with multi-factor authentication events were the most useful. Logically speaking, if an MFA request has been sent to a device, then the user account’s password has very likely been compromised. I’ve included this as part of the sigma rule at the bottom of the blog.
The most common false positives I have seen so far are from users signing in from mobile devices or from different IP addresses due to them being on travel. True positives seem to stick out like a sore thumb, whereas a user is most often seen signing in from a Windows machine, and then suddenly they are seen using a Mac in a different country.
In summary, monitoring these alerts more closely has helped us to catch more of these events earlier in the attack chain. I hope this helps you as well.
Sigma Rule:
title: High Risk Azure Login Requiring MFA
status: tested
description: This detection leverages Azure AD’s built-in service, Azure AD Identity protection, to detect anomalous high risk sign ins to cloud accounts requiring MFA approval. This is an indication that a user’s password has been compromised.
references:
author: David Perez
date: 2024/07/16
tags:
- attack.t1528
- attack.credential_access
logsource:
product: azure
service: signinlogs
detection:
selection:
risk_state : ‘atRisk’
authentication_requirement : ‘multiFactorAuthentication’
risk1:
risk_level_aggregated : ‘High’
risk2:
risk_level_during_signin : ‘High’
condition: selection and 1 of risk*
falsepositives:
- Users known to be on travel(most common).
- Users authenticating with new devices in their possession (i.e. mobile device).
Entra Risk Detections:
The time difference between a suspicious sign-in event versus a detection in logs/reports can range significantly — for real-time detections, it is 5-10 minutes, and up to 48 hours for offline detections.
| Risk detection | Detection type | Type | riskEventType |
| Sign-in risk detections | |||
| Activity from anonymous IP address | Offline | Premium | riskyIPAddress |
| Additional risk detected (sign-in) | Real-time or Offline | Nonpremium | generic = Premium detection classification for non-P2 tenants |
| Admin confirmed user compromised | Offline | Nonpremium | adminConfirmedUserCompromised |
| Anomalous Token | Real-time or Offline | Premium | anomalousToken |
| Anonymous IP address | Real-time | Nonpremium | anonymizedIPAddress |
| Atypical travel | Offline | Premium | unlikelyTravel |
| Impossible travel | Offline | Premium | mcasImpossibleTravel |
| Malicious IP address | Offline | Premium | maliciousIPAddress |
| Mass Access to Sensitive Files | Offline | Premium | mcasFinSuspiciousFileAccess |
| Microsoft Entra threat intelligence (sign-in) | Real-time or Offline | Nonpremium | investigationsThreatIntelligence |
| New country | Offline | Premium | newCountry |
| Password spray | Offline | Premium | passwordSpray |
| Suspicious browser | Offline | Premium | suspiciousBrowser |
| Suspicious inbox forwarding | Offline | Premium | suspiciousInboxForwarding |
| Suspicious inbox manipulation rules | Offline | Premium | mcasSuspiciousInboxManipulationRules |
| Token issuer anomaly | Offline | Premium | tokenIssuerAnomaly |
| Unfamiliar sign-in properties | Real-time | Premium | unfamiliarFeatures |
| Verified threat actor IP | Real-time | Premium | nationStateIP |
| User risk detections | |||
| Additional risk detected (user) | Real-time or Offline | Nonpremium | generic = Premium detection classification for non-P2 tenants |
| Anomalous user activity | Offline | Premium | anomalousUserActivity |
| Attacker in the Middle | Offline | Premium | attackerinTheMiddle |
| Leaked credentials | Offline | Nonpremium | leakedCredentials |
| Microsoft Entra threat intelligence (user) | Real-time or Offline | Nonpremium | investigationsThreatIntelligence |
| Possible attempt to access Primary Refresh Token (PRT) | Offline | Premium | attemptedPrtAccess |
| Suspicious API Traffic | Offline | Premium | suspiciousAPITraffic |
| Suspicious sending patterns | Offline | Premium | suspiciousSendingPatterns |
| User reported suspicious activity | Offline | Premium | userReportedSuspiciousActivity |
Resources:
Ready to learn more?
Level up your skills with affordable classes from Antisyphon!
Available live/virtual and on-demand
