...
| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Purpose
An analyst wants to detect detect malicious authentication and privilege changes. Using the Entra ID collector to send identity and access logs to Devo, the analyst will find privilege escalation events. As a result, the analyst will remove malicious accounts, preventing them from disabling or modifying Entra ID resources.
The Entra ID brand has replaced Azure Active Directory. The Entra ID collector works with over 2,000 applications, including any that support a standard authentication method.
Typically, Entra ID is used with Microsoft’s cloud and on-premises products.
Example tables
Table | Description |
|---|---|
cloud.azure.ad.* | Entra ID identity and access management logs. |
cloud.azure.ad.signin_all | This union table combines all the different Entra ID authentication logs. |
Authentication logs, including Entra ID. |
Authorize it
First, authorize an event hub. Then add Entra ID to the event hub.
Switch to the directory.
...
Add your Entra ID diagnostic settings. Devo recommends enabling all log options.
Run it
The Entra ID collector is run the same way as an Event Hub Azure collector.
Secure it
Devo Exchange provides different Alerts Packs to help you monitor Entra ID data:
Authentication alert pack detects malicious authentication patterns from user accesses systems.
Data destruction attempt
Find privilege escalation, including roles, groups, and administrative units. Unexpected privilege escalation may indicate a user intends to exfiltrate or destroy data.
| Code Block |
|---|
from cloud.azure.ad.audit
where startswith(operationName,"Add"), toktains(operationName,"member to")
group by operationName as escalation_type,
properties_initiatedBy_user_displayName as actor,
properties_targetResources as target |
Identity compromise
A password reset or change may occur when an account is compromised.
| Code Block |
|---|
from cloud.azure.ad.audit
where eq(operationName,"User started password reset") or
(weakhas(operationName,"change") and has(operationName,"password")) or
startswith(operationName,"Reset password") |
Authentication risk
Get authentication risks detected by Microsoft.
| Code Block |
|---|
from cloud.azure.ad.signin_all
where not eq(risk_state,"none"), isnotnull(risk_state)
group by user, risk_state, risk_detail |
Monitor It
Create an inactivity alert to detect interruptions of transfer of data from the source to the event hub using the query
| Code Block |
|---|
from cloud.azure.ad.signin_all
where eq(action,"LOGIN"),isnotnull(application)
//Divide the applications into a few simple, but subjective, categories
select peek(application,"(?i)Azure|Office|Sharepoint|Windows|Microsoft") as application_category
where isnotnull(application_category)
//Create an inactivity alert to detect an interruption to logins
select split(hostchain,"-",1)+" "+application_category as monitor_collector_and_application_category |
Set the inactivity alert to keep track of the monitor_collector_and_application_category. The alert will trigger if a particular collector stops receiving login events from popular applications such as Office. This can occur if Office authentication is broken or if all users are on holiday.