Our next-gen architecture is built to help you make sense of your ever-growing data. Watch a 4-min demo video!

Quick Start Security for Azure AD

Azure AD
Azure AD icon

Out-of-the-Box Security For Azure AD Includes:

Alerts - 16

Stay on top of Azure AD key performance metrics. Keep everyone in the know with integration with Slack, PagerDuty and more.

A user signed in without MFA

This alert detects a user sign-in activity without Multi-factor authentication. Impact A user without MFA is vulnerable to brute force attacks and in a higher chance to account takeover and compromised. If your organizational policy does not allow users to login without MFA, this alert might indicate a compromised account sign-in. Mitigation Investigate and verify with the user in question that this is a legitimate sign-in operation. If your organizational policy requires MFA, investigate why did this user was able to login without MFA. Consider consulting with IT to check if the Azure policy was changed or tampered with. If this was considered a suspicious activity, block user, enable back MFA and reset his password. MITRE Tactic: TA0004 MITRE Technique: T1078

Identity protection - risky or compromised sign-in

This alert detects risky or compromised signed-in flagged by Azure identity protection feature. This feature needs to be enabled on Azure for this alert to work. Impact A successful sign-in by a risky or compromised account can give an adversary access to the system. Mitigation Investigate and verify why did Azure alerted on this sign-in, consult with the user and if not authorized, revoke privileges, rotate passwords and further investigate. MITRE Tactic: TA0001 MITRE Technique: T1078

An external user has redeemed his invitation to the system

A user outside the organization has redeemed his invitation and received access to Azure environment. This alert should had an "An external user has been invited" alert precede it. Impact Some invitations could sit open for months and be redeemed by threat actors that hacked to the invited user account or just by users who no longer need to receive access to the system. Mitigation An external user which has been granted access to the system should be inspected and validated as legitimate. Validate when was the invitation originally sent. Anything more then a week or two should raise suspicion and be validated with the inviting user/admin. Validate with the user who initiated the invite that the action was legitimate and intended (and that the invited email is correct), revoke the invite and block the invited user if not. MITRE Tactic: TA0003 MITRE Technique: T1098

A user has been deleted

This rule detects the deletion of an Azure AD user. Consecutive deletion alerts can also be configured by fine-tuning this alert. Impact An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alert) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

A group has been deleted

This rule detects the deletion of an Azure AD group. Consecutive deletion alerts can also be configured by fine-tuning this alert. Impact An adversary can delete a group to harm or evade detection. Bulk deletion operations (many consecutive group deletion alert) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

An external user has been invited

A user outside of the organization has been invited to collaborate on Azure services. Note that this is only an invite, an invite that was accepted by the user generated an additional log action named "redeem external user invite". Impact An external user invite should be inspected and validated as necessary as it could expose internal and confidential information to a user outside of the organization. Look for the "redeem external user invite" operation name log to see if the invited user has accepted the invitation and got access to the system. Mitigation Validate with the user who initiated the invite that the action was legitimate and intended (and that the invited email is correct), revoke the invite and block the invited user if not (if he already received access). MITRE Tactic: TA0003 MITRE Technique: T1078

More than 5 login failures under 5 minutes (possible brute force)

This alert detects multiple login failures - more than 5 attempts under 5 minutes. Multiple login attempts can indicate a possible brute force attack against the account. The alert detects login attempts per user. Impact A successful brute force attack can compromise credentials and give an attack access to the system. Successful authentication after a series of unsuccessful tries might indicate an attacker gaining access to credentials. Mitigation Investigate and verify with the user in question that these are legitimate attempts, if they are not, check for a successful login after the failed attempts and investigate further according to findings. MITRE Tactic: TA0006 MITRE Technique: T1110

More than 5 users have been deleted under 10 minutes

This rule detects the deletion of More than 5 users under 10 minutes. Impact An adversary can delete a user to harm or evade detection. Bulk deletion operations (many consecutive user deletion alerts) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0040 MITRE Technique: T1531

A user has been granted administrative privileges

This rule detects an AD user which has been given administrative privileges. Azure AD has multiple types of administrators, see log details for the type of privileges granted. This alert can be fine-tuned to specific administrator types according to information in the "properties.targetResources.modifiedProperties" log path. Impact An admin can perform many sensitive operations in the system, an adversary obtaining admin access is a worst-case scenario that should be avoided. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0003 MITRE Technique: T1078

A resource lock has been removed

This rule detects the removal of a resource lock. Resource locks are an Azure feature of stopping the accidental deletion of different Azure resources. A locked resource can't be deleted and needs to be unlocked first. Impact The removal of a resource lock might indicate a user planning to delete a resource. Bulk removal operations (many consecutive removal alerts) should be especially inspected. Mitigation Check for a deletion log after the lock removal to check if the resource had been deleted. Validate that the removal and deletion (if happened) were approved, investigate further and revert changes if not. This is a general resource lock removal alert. An alert for an attempted deletion of a locked resource can also be configured. See the relevant Azure service extension pack for details. MITRE Tactic: TA0005 MITRE Technique: T1562

A diagnostic setting has been deleted

This rule detects the deletion of a diagnostic setting. Diagnostic settings are Azure feature of sending logs of specific Azure services to different log aggregators. Impact The deletion of the diagnostic setting stops the sending of logs for that specific Azure service. An attacker can delete the diagnostic settings to stop logging operations and to cover his malicious activities. Bulk deletion operations (many consecutive deletion alerts) should be especially inspected. Mitigation Validate that the action was approved, investigate further and revert changes if not. MITRE Tactic: TA0005 MITRE Technique: T1562

No logs from Azure AD

This rule detects if there are no logs in the last 12 hours for Azure AD in the customer account. Note- This alert should configured with relevant app & subsystem. Impact Disabling logging is a tactic that adversaries might employ as part of various MITRE ATT&CK techniques to avoid detection, cover their tracks, or impede incident response investigations. Mitigation Address logging concerns to ensure comprehensive monitoring within the Coralogix SIEM system. MITRE Tactic: TA0005 MITRE Technique:T1562

Possible MFA fatigue attack

Triggers when a user repeatedly rejects or does not respond to Azure AD multi-factor authentication (MFA) push notifications. Impact Detects repeated MFA rejections. Mitigation Consult with the user to clarify the reasons behind MFA push notification rejections and verify if they initiated the requests; escalate to disabling the account and initiating incident response if malicious activity is suspected. Mitre tactic : TA0006 Mitre technique : T1621

Credential Stuffing Attack on Azure

Triggers when identifies the network IP address or user agent linked to numerous login attempts across different user accounts. Impact A Credential Stuffing Attack on Azure can lead to unauthorized access to multiple user accounts, posing a severe security risk. This attack can result in data breaches, loss of sensitive information, and potential service disruption for legitimate users. Mitigation Review the log to validate the legitimacy of the login attempt and proceed to rotate user credentials if a compromise is detected. Mitre tactic : TA0006 Mitra technique : T1110

Azure Active Directory risky sign-in

Triggers when Azure Identity Protection identifies an Azure Active Directory login as risky. Impact Identifies risky Azure AD logins. Mitigation Verify the location of user to check if its a valid location. If the activity is not legitimate then diable the user's account. Mitre tactic : TA0001 Mitre technique : T1078

Privileged Identity Management member assigned

Triggers whenever a user allocates an administrative role in Azure Privileged Identity Management (PIM). Impact Alerts on admin role allocation in PIM. Mitigation Verify API Call and confirm if user was assigned an admin role. In case of malicious request, rotate the credentials and inform the incident response team. [Ref: https://docs.microsoft.com/en-us/azure/active-directory/roles/best-practices ] Mitre tactic : TA0003 Mitre technique : T1098

Documentation

Learn more about Coralogix's out-of-the-box integration with Azure AD in our documentation.

Read More
Schedule Demo