Quick Start Security for Azure AD
Thank you!
We got your information.
Coralogix Extension For Azure AD Includes:
Alerts - 26
Stay on top of Azure AD key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.
A user signed in without MFA
This alert detects a user sign-in activity without Multi-factor authentication. Impact A user without MFA is vulnerable to brute force attacks and in a higher chance to account takeover and compromised. If your organizational policy does not allow users to login without MFA, this alert might indicate a compromised account sign-in. Mitigation Investigate and verify with the user in question that this is a legitimate sign-in operation. If your organizational policy requires MFA, investigate why did this user was able to login without MFA. Consider consulting with IT to check if the Azure policy was changed or tampered with. If this was considered a suspicious activity, block user, enable back MFA and reset his password. MITRE Tactic: TA0004 MITRE Technique: T1078
Identity protection - risky or compromised sign-in
This alert detects risky or compromised signed-in flagged by Azure identity protection feature. This feature needs to be enabled on Azure for this alert to work. Impact A successful sign-in by a risky or compromised account can give an adversary access to the system. Mitigation Investigate and verify why did Azure alerted on this sign-in, consult with the user and if not authorized, revoke privileges, rotate passwords and further investigate. MITRE Tactic: TA0001 MITRE Technique: T1078
An external user has redeemed his invitation to the system
A user outside the organization has redeemed his invitation and received access to Azure environment. This alert should had an "An external user has been invited" alert precede it. Impact Some invitations could sit open for months and be redeemed by threat actors that hacked to the invited user account or just by users who no longer need to receive access to the system. Mitigation An external user which has been granted access to the system should be inspected and validated as legitimate. Validate when was the invitation originally sent. Anything more then a week or two should raise suspicion and be validated with the inviting user/admin. Validate with the user who initiated the invite that the action was legitimate and intended (and that the invited email is correct), revoke the invite and block the invited user if not. MITRE Tactic: TA0003 MITRE Technique: T1098
A user has been deleted
This rule detects the deletion of an Azure AD user. Consecutive deletion alerts can also be configured by fine-tuning this alert. Impact An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alert) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531
A group has been deleted
This rule detects the deletion of an Azure AD group. Consecutive deletion alerts can also be configured by fine-tuning this alert. Impact An adversary can delete a group to harm or evade detection. Bulk deletion operations (many consecutive group deletion alert) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531
An external user has been invited
A user outside of the organization has been invited to collaborate on Azure services. Note that this is only an invite, an invite that was accepted by the user generated an additional log action named "redeem external user invite". Impact An external user invite should be inspected and validated as necessary as it could expose internal and confidential information to a user outside of the organization. Look for the "redeem external user invite" operation name log to see if the invited user has accepted the invitation and got access to the system. Mitigation Validate with the user who initiated the invite that the action was legitimate and intended (and that the invited email is correct), revoke the invite and block the invited user if not (if he already received access). MITRE Tactic: TA0003 MITRE Technique: T1078
More than 5 login failures under 5 minutes (possible brute force)
This alert detects multiple login failures - more than 5 attempts under 5 minutes. Multiple login attempts can indicate a possible brute force attack against the account. The alert detects login attempts per user. Impact A successful brute force attack can compromise credentials and give an attack access to the system. Successful authentication after a series of unsuccessful tries might indicate an attacker gaining access to credentials. Mitigation Investigate and verify with the user in question that these are legitimate attempts, if they are not, check for a successful login after the failed attempts and investigate further according to findings. MITRE Tactic: TA0006 MITRE Technique: T1110
More than 5 users have been deleted under 10 minutes
This rule detects the deletion of More than 5 users under 10 minutes. Impact An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alerts) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531
A user has been granted administrative privileges
This rule detects an AD user which has been given administrative privileges. Azure AD has multiple types of administrators, see log details for the type of privileges granted. This alert can be fine-tuned to specific administrator types according to information in the "properties.targetResources.modifiedProperties" log path. Impact An admin can perform many sensitive operations in the system, an adversary obtaining admin access is a worst-case scenario that should be avoided. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0003 MITRE Technique: T1078
A resource lock has been removed
This rule detects the removal of a resource lock. Resource locks are an Azure feature of stopping the accidental deletion of different Azure resources. A locked resource can't be deleted and needs to be unlocked first. Impact The removal of a resource lock might indicate a user planning to delete a resource. Bulk removal operations (many consecutive removal alerts) should be especially inspected. Mitigation Check for a deletion log after the lock removal to check if the resource had been deleted. Validate that the removal and deletion (if happened) were approved, investigate further and revert changes if not. This is a general resource lock removal alert. An alert for an attempted deletion of a locked resource can also be configured. See the relevant Azure service extension pack for details. MITRE Tactic: TA0005 MITRE Technique: T1562
A diagnostic setting has been deleted
This rule detects the deletion of a diagnostic setting. Diagnostic settings are Azure feature of sending logs of specific Azure services to different log aggregators. Impact The deletion of the diagnostic setting stops the sending of logs for that specific Azure service. An attacker can delete the diagnostic settings to stop logging operations and to cover his malicious activities. Bulk deletion operations (many consecutive deletion alerts) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0005 MITRE Technique: T1562
Possible MFA fatigue attack
Triggers when a user repeatedly rejects or does not respond to Azure AD multi-factor authentication (MFA) push notifications. Impact Detects repeated MFA rejections. Mitigation Consult with the user to clarify the reasons behind MFA push notification rejections and verify if they initiated the requests; escalate to disabling the account and initiating incident response if malicious activity is suspected. Mitre tactic : TA0006 Mitre technique : T1621
Credential Stuffing Attack on Azure
Triggers when identifies the network IP address or user agent linked to numerous login attempts across different user accounts. Impact A Credential Stuffing Attack on Azure can lead to unauthorized access to multiple user accounts, posing a severe security risk. This attack can result in data breaches, loss of sensitive information, and potential service disruption for legitimate users. Mitigation Review the log to validate the legitimacy of the login attempt and proceed to rotate user credentials if a compromise is detected. Mitre tactic : TA0006 Mitra technique : T1110
Azure Active Directory risky sign-in
Triggers when Azure Identity Protection identifies an Azure Active Directory login as risky. Impact Identifies risky Azure AD logins. Mitigation Verify the location of user to check if its a valid location. If the activity is not legitimate then diable the user's account. Mitre tactic : TA0001 Mitre technique : T1078
Privileged Identity Management member assigned
Triggers whenever a user allocates an administrative role in Azure Privileged Identity Management (PIM). Impact Alerts on admin role allocation in PIM. Mitigation Verify API Call and confirm if user was assigned an admin role. In case of malicious request, rotate the credentials and inform the incident response team. [Ref: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices ] Mitre tactic : TA0003 Mitre technique : T1098
FullAccessAsApp Permission Assigned
'Summary This alert triggers when the FullAccessAsApp permission is assigned to a service principal or application in Azure Active Directory. This permission grants the application full access to data and resources within the tenant, including the ability to read and write directory data, manage users and groups, and perform actions on behalf of users. Impact The FullAccessAsApp permission allows the application to perform a wide range of operations, including accessing and modifying critical data and resources across the entire Azure AD tenant. If this permission is assigned to a compromised or malicious application, it can lead to significant security risks, such as data breaches, unauthorized data manipulation, and potential lateral movement within the organization. Mitigation Implement a rigorous approval process for assigning the FullAccessAsApp permission. Ensure that only authorized personnel can approve such requests and involve relevant stakeholders in the decision-making process. Apply the principle of least privilege by assigning the minimum necessary permissions required for applications to perform their tasks. Avoid granting FullAccessAsApp unless absolutely necessary. MITRE Tactic: TA0004 MITRE Technique: T1078'
Multiple AppIDs and UserAgents Authentication Spike
'Summary This alert is triggered when there is a significant increase in authentication requests to Azure Active Directory (Azure AD) from multiple application identifiers (AppIDs) and user agents within a short period. This spike in authentication activity may indicate potential unauthorized access attempts, credential stuffing attacks, or unusual application behavior. Impact Increased risk of unauthorized access to Azure AD resources. Potential disruption to user authentication and access to applications. Risk of compromised credentials and data breaches if the spike is due to malicious activity. Mitigation Immediately investigate the spike in authentication requests to determine the root cause. Use Azure AD logs, Azure Monitor, and other monitoring tools to analyze the source, frequency, and patterns of authentication attempts. MITRE Tactic: TA0004 MITRE Technique: T1078'
New MFA Method Registered
This alert triggers when a new Multi-Factor Authentication (MFA) method is registered for a user account in Azure Active Directory. MFA adds an extra layer of security to user sign-ins by requiring users to provide additional authentication factors beyond just a password. Impact Registering a new MFA method strengthens the security posture of the user account and the organization as a whole by adding an additional authentication factor. Registering new MFA methods may impact compliance requirements, particularly if specific MFA methods are mandated by industry regulations or organizational policies. Mitigation Provide clear guidance and training to users on the importance of MFA and the registration process for new MFA methods. Encourage users to follow best practices for safeguarding their MFA credentials. Implement policies that require users to register multiple MFA methods to ensure redundancy and resilience against authentication failures or lost access to a single method. Mitre tactic : TA0003 Mitre technique : T1098
New Federated Domain Added
'Summary This alert triggers when a new federated domain is added to Azure Active Directory. Federated domains are those that are configured for single sign-on (SSO) using Active Directory Federation Services (AD FS) or another identity provider, enabling users to authenticate with their on-premises credentials. Impact Adding a new federated domain expands the scope of federated authentication within the organization, enhancing user convenience and productivity by enabling seamless SSO experiences. Incorrect configuration of federated domains can lead to authentication failures, user access issues, or even service disruptions, impacting business continuity. Mitigation Implement automated monitoring solutions to detect changes in federated domain configurations promptly. Use Azure AD logs and other monitoring tools to track domain additions and modifications. Mitre tactic : TA0006 Mitre technique : T1621'
Privileged Graph API Permission Assigned
'Summary This alert triggers when a privileged permission is assigned to an application or a user for the Microsoft Graph API in Azure Active Directory. Privileged permissions are those that grant extensive access to data and resources within the tenant, such as reading and writing directory data, managing user identities, or accessing sensitive information. Impact Assigning privileged permissions allows the application or user to perform a wide range of operations, including accessing and modifying critical data across the entire Azure AD tenant. Granting such permissions may lead to non-compliance with data protection regulations and organizational policies if not properly managed and monitored. Mitigation Implement a rigorous approval process for assigning privileged Graph API permissions. Ensure that only authorized personnel can approve such requests, and involve relevant stakeholders in the decision-making process. Use RBAC to assign the minimum necessary permissions required for applications and users to perform their tasks. Avoid assigning overly broad permissions unless absolutely necessary. Mitre tactic : TA0006 Mitre technique : T1021'
Tenant Wide Admin Consent Granted
'Summary This alert triggers when an administrator grants tenant-wide admin consent to an application in Azure Active Directory. Tenant-wide admin consent allows an application to access data and perform actions across the entire Azure AD tenant, bypassing individual user consent. Impact Granting tenant-wide consent gives the application extensive permissions to access data and perform operations across all user accounts within the tenant, potentially exposing sensitive information. Tenant-wide access may violate compliance requirements if the application accesses data or performs actions beyond what is necessary, especially if it involves personally identifiable information (PII) or other sensitive data. Mitigation Implement a stringent review and approval process for granting tenant-wide admin consent. Ensure that only necessary and trusted applications receive such permissions, and involve relevant stakeholders in the decision-making process. Apply the principle of least privilege by granting only the minimum necessary permissions required for the application to function. Avoid granting broad permissions unless absolutely necessary. Mitre tactic : TA0006 Mitre technique : T1621'
User Consent Denied for OAuth Application
This alert triggers when a user denies consent for an OAuth application in Azure Active Directory. OAuth applications often request permissions to access resources on behalf of the user, and user consent is required to grant these permissions. A denial indicates that the user has explicitly refused to grant the requested permissions. Impact The denial of consent prevents the OAuth application from accessing the requested resources on behalf of the user, which may result in reduced functionality or an inability to use certain features of the application. Mitigation Regularly review and audit the permissions requested by OAuth applications. Ensure that applications request only the permissions necessary for their functionality and are clearly explained to users. Implement Azure AD consent policies to manage which applications users can grant consent to. Restrict high-risk or sensitive permissions to administrative consent only. Mitre tactic : TA0006 Mitre technique : T1621
User ImmutableId Attribute Updated
'Summary This alert triggers when the ImmutableId attribute of a user in Azure Active Directory is updated. The ImmutableId is a unique identifier used to link user objects between on-premises Active Directory and Azure AD, particularly in environments where Azure AD Connect is used. Impact Changing the ImmutableId can lead to synchronization issues between the on-premises Active Directory and Azure AD, potentially resulting in duplicate user accounts or orphaned objects. Users may experience authentication issues, as the ImmutableId is crucial for single sign-on (SSO) and seamless access to cloud resources. Security Risks Mitigation Implement regular audits to monitor changes to the ImmutableId attribute. Use Azure AD logs and configure alerts to detect and review any modifications promptly. Restrict permissions for updating the ImmutableId attribute to a limited set of trusted administrators. Use role-based access control (RBAC) to enforce the principle of least privilege. Mitre tactic : TA0006 Mitra technique : T1110'
Azure AD Concurrent Sessions From Different Ips
This alert triggers when Azure Active Directory (Azure AD) detects multiple concurrent sessions for the same user account originating from different IP addresses within a short timeframe. This behavior could indicate a potential security threat, such as unauthorized access or compromised credentials. Impact Concurrent sessions from different IPs pose a significant security risk as they may indicate unauthorized access to user accounts. Attackers could use stolen credentials to log in from multiple locations simultaneously, potentially leading to data breaches, privilege escalation, or unauthorized actions within the Azure environment. Mitigation Implement MFA for all users to add an extra layer of security and mitigate the risk of unauthorized access. Continuously monitor Azure AD sign-in logs to detect and investigate suspicious sign-in activities, including concurrent sessions from different IPs. Configure conditional access policies to enforce access controls based on various factors such as user location, device compliance, or risk level. Enforce strong password policies, including regular password changes and complexity requirements, to reduce the risk of credential theft. Mitre tactic : TA0006 Mitra technique : T1110
Block User Consent For Risky Apps Disabled
This alert is triggered when the blocking of user consent for risky apps in Azure Active Directory (Azure AD) is found to be disabled. User consent for risky apps allows users to grant permissions to third-party applications, which can pose security risks if not properly monitored and controlled. Disabling this feature increases the likelihood of unauthorized access to sensitive data and resources. Impact The impact of this alert being triggered could be significant, as it indicates a potential security gap in the organizations Azure AD configuration. Disabling the blocking of user consent for risky apps increases the risk of unauthorized applications gaining access to user data and organizational resources. Attackers could exploit this vulnerability to compromise user accounts, steal sensitive information, or perform unauthorized actions within the Azure environment. Mitigation Immediately re-enable the feature to block user consent for risky apps within Azure AD. Utilize Azure AD conditional access policies to control access to third-party applications based on various factors such as user location, device compliance, or risk level. MITRE Tactic: TA0001 MITRE Technique: T1078"
High Risk Sign in
This alert is triggered when Azure Active Directory (Azure AD) detects a sign-in attempt that exhibits high-risk characteristics, such as coming from an unfamiliar location, using suspicious credentials, or displaying anomalous behavior. Impact A high-risk sign-in could indicate unauthorized access to sensitive resources within the Azure environment. If successful, attackers could steal sensitive data, compromise user accounts, or perform malicious activities such as data exfiltration or lateral movement within the organizations infrastructure. Mitigation Enforce MFA for all users, especially for privileged accounts and those accessing sensitive data or applications. Implement conditional access policies to enforce access controls based on various factors such as user location, device compliance, or risk level. Configure policies to block or require additional authentication for high-risk sign-in attempts. MITRE Tactic: TA0001 MITRE Technique: T1078"
Integration
Learn more about Coralogix's out-of-the-box integration with Azure AD in our documentation.