Go back

Defending Azure Active Directory (Entra ID): Unveiling Threats through Hunting Techniques

Defending Azure Active Directory (Entra ID): Unveiling Threats through Hunting Techniques

Contents

Azure Active Directory (Entra ID) stands as one of the most popular and widely-used cloud-based identity and access management services provided by Microsoft. It serves as a comprehensive solution for managing user identities and controlling access to a diverse range of resources, both within the Microsoft Azure ecosystem and across other platforms. Azure AD offers crucial features like single sign-on (SSO), multi-factor authentication (MFA), role-based access control (RBAC), and directory services. 

Understanding  Azure AD logs is essential for maintaining a robust security posture in a cloud-centric environment. These logs provide a comprehensive record of user activities, authentication attempts, and access permissions. By analyzing Azure AD logs, organizations can detect and respond to suspicious or unauthorized activities promptly, identify security threats, track user behavior, and ensure compliance with regulatory requirements. Understanding these logs is pivotal in proactively mitigating security risks, protecting sensitive data, and safeguarding the integrity of Azure-based services, making it a fundamental aspect of any effective cybersecurity strategy in the cloud.

Reading this blog will provide you with:

  • Understanding of the logs that can be extracted from your Azure AD, and how.
  • Knowledge about how to analyze these logs, and get the right information out of them.
  • Learning about more than 10 Threat scenarios and corresponding hunting queries that you can run in your own environment to identify threats.
  • Access to a tool Rezonate wrote to extract logs from AzureAD to any preferred analysis platform of your choice.

Azure Active Directory Log Sources

Azure Active Directory (Azure AD) offers two log sources that capture different types of events and activities within the Azure AD environment. These logs provide valuable insights for monitoring, security, and compliance purposes:

  1. Sign-in Logs: capture information about user sign-ins, including successful and failed attempts, sign-in locations, device details, and authentication methods used.
  2. Directory Audit Logs: capture information about various administrative activities, such as changes to user accounts, group memberships, application access, role assignments, and permission modifications.

Data retention settings for the different licensing levels can be found here.

Azure AD Sign-in Logs

Azure AD sign-in logs are records that capture information about user sign-in activities within the Azure Active Directory (Azure AD) environment. These logs provide insights into the authentication and access activities of users as they interact with Azure AD-integrated applications and services. Sign-in logs are a crucial component of monitoring and maintaining the security of an organization’s identity and access management infrastructure. The full structure of the sign-in logs can be found on Microsoft’s official reference page. Every data-point  in the log record could be useful in certain use cases, but we highlighted some of them  that you should focus on for most investigations and hunting scenarios:

IdUnique identifier for the event.
CreatedDateTimeEvent time.
ActivityDisplayNameThe name of the activity, used as the type of the event. The full list can be found in Microsoft’s documentation.
AppId The identifier of the Azure AD application that the entity logged in to.
AppDisplayNameThe name of the Azure AD application that the entity logged in to
UserPrincipalNameThe user name that was used to sign in.
DeviceDetailThe device information from where the sign-in occurred. This property includes the client’s operating system and browser details.
IpAddressThe IP address that was used for the authentication. 
UserAgentThe user agent that was used for the authentication.
StatusIndicates the result of the sign-in. The full list of errors can be found in Microsoft’s documentation.
IsInteractiveIndicates if the sign-in was interactive or not.
CorrelationIdA unique identifier that is used to correlate other logs that are related to a specific sign-in event. 

Sign-in logs are separated into four groups:

  • Interactive sign-in: Interactive sign-ins occur when a user logs in using a web browser, a mobile app, or another client application, and the user directly interacts with the authentication prompts. 
  • Non-interactive sign-ins: These logs typically involve automated processes, such as service accounts, background tasks, or system-to-system interactions, where user intervention is not necessary for authentication to occur.
  • Service principal sign-ins:  A service principal is a security identity used by applications, services, or automation tasks to access Azure resources and perform specific actions. Service principal sign-ins occur when these identities are used to authenticate and access resources or services.
  • Managed identity sign-ins: A managed identity is a feature in Azure that provides an identity for resources like virtual machines, Azure services, and applications. This identity can be used to authenticate with various Azure services without requiring explicit credential management.

Managed identity sign-ins occur when resources or applications use their managed identity to authenticate and access other Azure services, APIs, or resources.

Azure AD Directory Audit Logs

Azure AD directory audit logs are records that capture details about administrative activities and changes within an Azure Active Directory (Azure AD) environment. These logs provide insights into actions taken by administrators or privileged users that impact user identities, groups, roles, and directory settings.

Directory audit logs are essential for maintaining security, compliance, and accountability within an organization’s identity and access management infrastructure. These logs help track changes, monitor user activities, and investigate potential security incidents.

The structure of the audit logs can be found on Microsoft’s official reference page.

Each data point in this log could be useful but we highlighted some of them that you should focus on for most investigations and hunting scenarios:

IdUnique identifier for the event.
ActivityDateTimeEvent time.
ActivityDisplayNameThe name of the activity is used as the type of the event. The full list can be found in Microsoft’s documentation.
InitiatedBy Provides information about the entity that performed the action that triggered the event.
TargetResourcesThe resources that were involved in the event.
ResultIndicates the result of the event
ResultReasonLogs the reason for a failure if the event was not successful.
CorrelationIdA unique identifier that is used to correlate the event to a specific sign-in event. 

Exporting Azure AD Logs

Exporting  Azure AD  logs requires one of the following roles:

  • Reports Reader
  • Security Reader
  • Security Administrator
  • Global Reader
  • Global Administrator

There are two primary approaches to accessing Azure AD logs.

1. Azure AD Console:

In the monitoring section, you will find both “Sign-in Logs” and “Audit logs”.

  1. Login to Azure Portal
  2. From the Azure Services, select Azure Active Directory
  3. From the left pane, navigate to the “Monitoring” section

Each sign-in event, of an interactive user, is displayed as a single event and can be expanded to view more detailed information:

The tree remaining sign-in log groups are displayed differently. Instead of showing each sign-in attempt in a single event, the sign-in events are grouped by the target application that the user signed into:

2. Exporting The Logs To CSV\JSON

While accessing the Azure AD logs from the Azure portal is easy, it is recommended to export the logs out of  Azure AD  so you will be able to cross reference Azure AD activity with other data sources and perform advanced queries and analyze it in scale.

To export logs from Azure AD, we recommend using an Azure AD application and Microsoft Graph API. Follow the instructions below to create a new application for logs export in your tenant:

  1. Sign in to the Azure portal using your administrator account.
  2. From the Azure services, choose Azure Active Directory.
  3. From the left pane, choose App Registrations
  4. Click on “New Registration”.
  5. Name it as you wish.
  6. In “Supported account types” select  “Accounts in this organizational directory only (Default Directory only – Single tenant)”.
  7. Click Register.
  8. In the newly created application page, from the left pane, choose API Permissions.
  9. Click on Add permission.
  10. Click on Microsoft Graph – Application Permissions.
  11. Type “AuditLog” in the search box.
  12. Click on “AuditLog.Read.All”, and then “Add permissions”.
  13. Grant admin consent for the default directory – In other words, allow the application to use the assigned privileges.
  14. From the left pane, choose “Certificates and Secrets”
  15. Click on “New client secret”
  16. Choose your desired expiration date.
  17. Use the new secret to authenticate to Azure AD and query your logs.

Let the Hunt Begin

In this section, we will guide you through some of the top-relevant threat scenarios to look out for, explain them, mark the Relevant Azure AD Event Sources, align to the specific MITRE ATT&CK technique, and include our own queries in Postgres query syntax.

Scenario 1 – Brute Force on an Azure AD User

A brute force attack on an Azure AD user involves an attacker repeatedly trying different passwords to guess correctly and eventually gaining unauthorized access. To hunt for any occurrence of this scenario, you can search for an actor that performed more than X failed login attempts on at least Y target user, failing or ending up with a successful login. In cases of failure, the activity may result in a user’s lockage. (Read more about Microsoft’s Smart Lockout protection mechanism)

Relevant Azure AD Event Source

  • Azure AD Sign-In Logs

Query

-- Get users who failed to login from the same IP address at least 5 times
SELECT "userPrincipalName", "ipAddress" , "appDisplayName", "userAgent", count(id) as "eventCount", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event"
FROM sign_in_activity_azure_ad_entity siaaae
WHERE "errorCode" = 50126 -- Error code for invalid credentials
AND "createdDateTime" > now() - interval 'X hours'
GROUP BY "userPrincipalName", "ipAddress", "appDisplayName", "userAgent"
having count(id) >= 5
ORDER BY "eventCount" desc

MITRE Technique

Attention: The user-agent field in authentication logs indicates the client application employed for the authentication process. To bypass modern authentication requirements like Multi-Factor Authentication (MFA), threat actors might exploit legacy authentication protocols such as SMTP. In cases where a legacy protocol is utilized for authentication, the user agent in the logs will be identified as ‘BAV2ROPC’.

In case you encounter a brute force attempt with the user agent set to ‘BAV2ROPC’, it is crucial to consider it as malicious unless proven otherwise.

Scenario 2 – Password Spray on an Azure AD Account

A password spray attack on an Azure AD account involves an attacker repeatedly submitting different usernames with the same password (a small set of passwords) to eventually manage to log in and gain unauthorized access. To hunt for any occurrence of this scenario, you can search for an actor that performed more than 1 failed login attempt on at least Y unique target user, from the same IP address.

Relevant Azure AD Event Source

  • Azure AD Sign-In Logs

Query

-- Get users who failed to login from the same IP address to at least 5 unique users
SELECT "ipAddress", "appDisplayName", "userAgent", count(distinct "userPrincipalName") as "eventCount", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event"
FROM sign_in_activity_azure_ad_entity siaaae
WHERE "errorCode" = 50126 -- Error code for invalid credentials
AND "createdDateTime" > now() - interval '1000 hours'
GROUP BY "ipAddress", "appDisplayName", "userAgent"
having count(id) >= 5
ORDER BY "eventCount" desc

-- For Each result, check if the source IP address managed to login to the target user AFTER the "lastEvent" time

MITRE Technique

Scenario 3 – Multiple User Lockouts

In certain instances of brute force attacks, the malicious actor may lock out the targeted users during their unauthorized access attempts. To identify such scenarios, we can employ a detection method that involves searching for multiple user lockouts originating from a single IP address.

Relevant Azure AD Event Source

  • Azure AD Sign-In Logs

Query

-- Search for login attempts to disabled users
SELECT "ipAddress", count(distinct "userPrincipalName") AS "userCount", "appDisplayName", "userAgent", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event"
FROM sign_in_activity_azure_ad_entity 
WHERE "errorCode" = 50053 -- Error code for user locked out
AND "createdDateTime" > now() - interval 'X hours'
GROUP BY "ipAddress", "appDisplayName", "userAgent"
having count(distinct "userPrincipalName")  >= 5
ORDER BY "userCount" desc

MITRE Technique

Scenario 4 – Multiple Authentication Failures During MFA Challenge

An attacker that managed to compromise a credential set of an AzureAD user that is protected by MFA, upon authentication, will generate a specific sign-in log with the error code 500121 which correlates with the following message: “The user didn’t complete the MFA prompt. They may have decided not to authenticate, timed out while doing other work, or have an issue with their authentication setup.”

We can highlight suspicious IP addresses that generated multiple events with the mentioned error code. 

Relevant Azure AD Event Source

  • Azure AD Sign-In Logs

Query

-- Search for failed authentication attempts during MFA challenges 
SELECT "userPrincipalName", "ipAddress", "appDisplayName", "userAgent", count(id) as "eventCount", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event"
FROM sign_in_activity_azure_ad_entity siaaae
WHERE "errorCode" in 500121 -- Error code for no MFA response
AND "createdDateTime" > now() - interval '2000 hours'
GROUP BY "userPrincipalName", "ipAddress", "appDisplayName", "userAgent"
having count(id) > 1
ORDER BY "eventCount" desc

MITRE Technique

Scenario 5 – Authentication Attempt to a Disabled User

 In some cases, Azure AD user accounts might have been disabled due to security concerns, or maybe even as part of employee off-boarding. Monitoring login attempts to disabled users can help you detect unauthorized activities.

Relevant Azure AD Event Source

  • Azure AD Sign-In Logs

Query

-- Search for login attempts to disabled users
SELECT "ipAddress", count(distinct "userPrincipalName") AS "userCount", "appDisplayName", "userAgent", min("createdDateTime") as "first_event", min("createdDateTime") as "last_event"
FROM sign_in_activity_azure_ad_entity 
WHERE "errorCode" = 50057 -- Error code for user disabled
--AND "createdDateTime" > now() - interval 'X hours' - optional filter
GROUP BY "ipAddress", "appDisplayName", "userAgent"
ORDER BY "userCount" desc

MITRE Technique

Scenario 6 – Suspicious User Consent to Application

When an attacker gains access to an Azure AD Tenant, they can create a new multi-tenant application equipped with specific API permissions such as Mail.Read, Mail.Send, Mailboxsettings.ReadWrite, Files.ReadWrite.All and User.ReadBasic.All, of which do not require administrative consent.

Next, the attacker invites external users (potential victims) to use this application. Upon the first login by a new user to the attacker’s application, a “Consent” prompt appears. If the user grants consent to the application, it enables the application to perform actions on behalf of the user, potentially leading to unauthorized access and misuse of the user’s data and resources.

We can utilize non-administrative consents to detect privileged applications that have access to user data.

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Search for non-administrative application consent 
select id,dn,"newValue" 
from (select id, jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'displayName' as "dn", 	  jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'newValue' as "newValue"
	  from directory_audit_activity_azure_ad_entity daaaae 
	  where "activityDisplayName"='Consent to application') as subsearch 
where dn='ConsentContext.IsAdminConsent' and "newValue"='"False"'

MITRE Technique

Scenario 7 – Persistence Via Service Principal Credentials

An attacker could establish a persistence mechanism by adding new credentials to an already existing Azure AD application if one of the following applies to them:

  1. Application Administrator
  2.  Global Administrator (GA) 
  3. microsoft.directory/applications/credentials/update

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Search new application credentials events
SELECT "id","user","ip", "activityDateTime", "activityDisplayName", "property", count("oldVals") AS "oldValsCount", count("newVals") AS "newValsCount" 
FROM (
	SELECT "id","user","ip", "activityDateTime", "activityDisplayName", "property", jsonb_array_elements("oldVal"::jsonb) AS "oldVals",jsonb_array_elements("newVal"::jsonb) AS "newVals" 
	FROM (
		SELECT "id", "initiatedBy"->'user'->>'ipAddress' AS "ip", "initiatedBy"->'user'->>'userPrincipalName' AS "user", "activityDateTime", "activityDisplayName", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'displayName' AS "property", 
jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'oldValue' AS "oldVal", jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'newValue' AS "newVal"
		FROM directory_audit_activity_azure_ad_entity 
		WHERE "activityDisplayName" = 'Update application – Certificates AND secrets management ' 
	) AS subquery
	WHERE "oldVal"!='[]' and "oldVal" is not null) AS query
GROUP BY "id","user","ip", "activityDateTime", "activityDisplayName", "property"
HAVING count("newVals")> count("oldVals")

MITRE Technique

Scenario 8 – Admin Privileges Assignments Not Via PIM

Azure AD PIM (Azure Active Directory Privileged Identity Management) is a Microsoft Azure service that helps organizations manage, control, and monitor access to privileged roles and resources in their Azure environment. It allows administrators to grant just-in-time privileged access, enforce approval workflows, and provide auditing and reporting for enhanced security and compliance.
It is important to monitor Azure AD admin privileges assignments, not through PIM, since this behavior should not be common, and might suggest that an admin account is compromised.

Relevant Azure AD Event Source 

  • Azure AD Directory Audit Logs

Query

-- Search AAD administrative privileges assignment not via PIM
select "ipAddress", "initiatedUser",category,"operationType", "targetResourceType", coalesce("targetUser","targetApp") as "targetDisplayName", ass3."value" as "newRoleName"
from (select "id","ipAddress","userPrincipalName" as "initiatedUser",category,"operationType","TR"->'type' as "targetResourceType",
          nullif("TR"->'userPrincipalName', 'null') as "targetUser", nullif("TR"->'displayName', 'null') as "targetApp"
          from directory_audit_activity_azure_ad_entity daaaae , jsonb_array_elements("targetResources") as "TR"
          where category='RoleManagement' and "operationType" ='Assign'
          and "targetResources"::text like '%dmin%'
          and ("initiatedBy"->'app'->>'displayName' != 'MS-PIM' or "initiatedBy"->'user' is not null)) bq,
          (select * from (select "id",jsonb_array_elements("sub")->>'newValue' as "value", jsonb_array_elements("sub")->>'displayName' as "valueName" from (select "id",jsonb_array_elements("targetResources")->'modifiedProperties' as "sub" from directory_audit_activity_azure_ad_entity
                                where category='RoleManagement' and "operationType" ='Assign') base1) base2
          where "valueName" = 'Role.DisplayName') as base3
where bq."id" = ass3."id" and "targetResourceType"!='"Role"'

MITRE Technique

  • Privilege Escalation | Privilege Assignment via Valid Account | ATT&CK T1078

Scenario 9 – Account Hijacking

Social engineering for initial access is on the rise. These techniques are simple in most cases and do not require much technical knowledge. Attacks such as phishing, MFA relay, or even buying credentials online may help attackers compromise user accounts.
Usually, when an adversary compromises a user, gaining persistent access to that account is important. To do so, the adversary might change the user’s password and enroll a new MFA device. In some cases maybe even delete the original user’s factors.
The following query identifies user accounts that performed a series of actions from an IP address that is not being used often by the organization, and during a short period of time – which might suggest that these accounts are compromised. The actions that this query searches for are:

  • Self-password reset
  • MFA enrollment
  • MFA deletion 

Relevant Azure AD Event Source 

  • Azure AD Directory Audit Logs
  • Azure AD Sign-In Logs

Query

-- Search multiple security information changes from a rare location in a short timeframe
select * from(with org_ips as (SELECT count("timebucket"), "ipAddress","countryOrRegion"
                                FROM (
                                        SELECT DATE_TRUNC('day', "createdDateTime") AS TimeBucket, COUNT(distinct "userPrincipalName") AS "userCount",  "ipAddress","countryOrRegion"
                                        FROM sign_in_activity_azure_ad_entity
                                        WHERE "errorCode" = 0
                                        AND "createdDateTime" > now() -interval '1 week'
                                        GROUP BY TimeBucket, "ipAddress", "countryOrRegion"
                                        HAVING COUNT(distinct "userPrincipalName") > 1
                                        ) subquery
                                GROUP BY "ipAddress","countryOrRegion"
                                HAVING count("timebucket") > 1)
select count(distinct "activityDisplayName") as distinct_event_count, min("activityDateTime") as first_event, max("activityDateTime") as last_event, daaaae."ipAddress",
"userPrincipalName",array_agg(distinct "activityDisplayName") as events, "result",
age(max("activityDateTime"),min("activityDateTime")) as duration,
extract(EPOCH FROM max("activityDateTime")) - extract(epoch from min("activityDateTime")) as duration_epoch
from directory_audit_activity_azure_ad_entity daaaae , org_ips
where "activityDisplayName" in ('Reset password (self-service)', 
'Self-service password reset flow activity progress', 
'User deleted security info', 'User registered security info', 
'User started security info registration') 
and daaaae."ipAddress" not in (select distinct org_ips."ipAddress" from org_ips)
and "result"='success'
group by "userPrincipalName",daaaae."ipAddress", "result") base
where distinct_event_count = 5 and duration_epoch <= 604800 

MITRE Technique

  • Initial Access | Social Engineering and Phishing | ATT&CK T1566

Scenario 10 – Abusing Third-Party Users (Supply Chain Attack)

Many Azure AD tenants are trusted by third-party accounts – IT providers, security tools, or maybe trusted partners. Third-party accounts should perform directory changes only if the activity is authorized by the tenant administrator. Use the following query to detect changes performed by guest accounts in your organization. Unauthorized activities may suggest that the third-party account is compromised 

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Guest directory changes
select daaaae."activityDateTime", daaaae."ipAddress", daaaae."userPrincipalName", daaaae."activityDisplayName", daaaae."result", jsonb_array_elements(daaaae."targetResources")->>'userPrincipalName' as "external_user_name", siaaae."homeTenantId", siaaae."resourceTenantId" 
from directory_audit_activity_azure_ad_entity daaaae, sign_in_activity_azure_ad_entity siaaae  
where "result" ='success'
and daaaae."correlationId" = siaaae."correlationId"
and siaaae."homeTenantId" is not null
and siaaae."homeTenantId"!=siaaae."resourceTenantId" 

MITRE Technique

Scenario 11 – Abusing Single Password Authentication

Single-factor authentication is a security risk that is best avoided by enforcing MFA, but it is not always possible to do so. Adversaries will often try to abuse users that are not protected by MFA. Use the following query to monitor single-factor authentication from non-organizational IP addresses.

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Guest invites
with org_ips as (SELECT count("timebucket"), "ipAddress","countryOrRegion"
                                FROM (
                                        SELECT DATE_TRUNC('day', "createdDateTime") AS TimeBucket, COUNT(distinct "userPrincipalName") AS "userCount",  "ipAddress","countryOrRegion"
                                        FROM sign_in_activity_azure_ad_entity
                                        WHERE "errorCode" = 0
                                        AND "createdDateTime" > now() -interval '1 week'
                                        GROUP BY TimeBucket, "ipAddress", "countryOrRegion"
                                        HAVING COUNT(distinct "userPrincipalName") > 1
                                        ) subquery
                                GROUP BY "ipAddress","countryOrRegion"
                                HAVING count("timebucket") > 1)
select "createdDateTime", "ipAddress", "autonomousSystemNumber", "countryOrRegion", "userPrincipalName" , "appDisplayName", "conditionalAccessStatus" from sign_in_activity_azure_ad_entity siaaae 
where "authenticationRequirement" ='singleFactorAuthentication' 
and "errorCode" = 0 
and "isInteractive" = true
and "ipAddress" not in (select distinct "ipAddress" from org_ips)
and "countryOrRegion" not in (select distinct "countryOrRegion" from org_ips)

MITRE Technique

Scenario 12 – Azure AD Sync Abuse

Azure AD Connect is a Microsoft tool that enables synchronization and integration between on-premises Active Directory (AD) and Azure Active Directory (Azure AD). It allows organizations to extend their on-premises identity infrastructure to the cloud, providing users with a seamless single sign-on experience across both environments. 

AAD Connect synchronizes user accounts between on-premises domain controllers and AAD tenants, utilizing a privileged user account authorized to update to the AAD directory.

A compromised domain controller could allow an attacker to move laterally to Azure AD by extracting the login credentials of an AAD Connect user. 

Relevant Azure AD Event Source 

  • Azure AD Directory Sign-In Logs

Query

-- Search AAD Connect user abuse
select "createdDateTime", "ipAddress", "countryOrRegion", "userPrincipalName", "appId","appDisplayName", "errorCode"  from sign_in_activity_azure_ad_entity siaaae where "userPrincipalName" ilike 'Sync_%'
and "appDisplayName" not in ('Microsoft Azure Active Directory Connect','')

MITRE Technique

3 Additional Queries For Azure AD Access Governance

On top of the scenarios mentioned above, there are additional relevant queries that can be used to hunt for threats in an Azure AD tenant. Their results are harder to rely on since they require having a deeper context of the regular activities in the organization to differentiate the legitimate operations from those that may be part of an actual threat.

For example, a user was assigned an administrative role. It could be malicious or legitimate, and requires triage for a verdict: 

  • Who performed the action?
  • Is this the first time this actor assigns privileges? 
  • Are there any client characteristics that do not make sense coming from that actor?

Query 1 – New Application Creation

Malicious applications can serve adversaries to get their first foothold in an Azure AD tenant. Review the installed applications that were installed by administrators.

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Search for new AAD applications
select "activityDateTime", "ipAddress", "userPrincipalName", "activityDisplayName", "result", jsonb_array_elements("targetResources")->>'displayName' as "appName"  from directory_audit_activity_azure_ad_entity daaaae where "activityDisplayName" ='Add application'

MITRE Technique

Query 2 – A Guest Was Invited to the Organization

Guest users can be invited to an Azure AD tenant – This means that users from different Azure AD tenants can access your tenant. It’s important to review these invites to make sure that only authorized third-party users will be invited.

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Guest invites
select "activityDateTime", "ipAddress", "userPrincipalName", "activityDisplayName", "result", jsonb_array_elements("targetResources")->>'userPrincipalName' as "external_user_name"  
from directory_audit_activity_azure_ad_entity daaaae 
where "activityDisplayName" ='Invite external user'

MITRE Technique

Query 3 – New Authentication Policy Exclusion

Azure AD Conditional Access Policy is a powerful feature that controls access to the organization based on specific criteria. If a user or a group of users are excluded from a conditional policy, they might put the organization at risk.

Relevant Azure AD Event Source

  • Azure AD Directory Audit Logs

Query

-- Policy Exclusions
select "activityDateTime", "userPrincipalName", category, "activityDisplayName", "operationType",jsonb_array_elements("targetResources")->>'displayName' as "policyName",
jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'newValue' as "newConditions",
jsonb_array_elements(jsonb_array_elements("targetResources")->'modifiedProperties')->>'oldValue' as "oldConditions"
from directory_audit_activity_azure_ad_entity daaaae 
where "activityDisplayName"='Update conditional access policy'

MITRE Technique

Rezonate Tool For Exporting Azure AD Logs

As promised, we have included 2 tools that can be used to accelerate the application creation and the log extraction process. They are both available in our GitHub repository.

Loading

Continue Reading

More Articles
Rezonate Named as a Cool Vendor 2023 Gartner Identity First Security

Rezonate named as a “Cool Vendor”  in the 2023 Gartner® Cool Vendors™ in  Identity-First security

We are proud and humbled to announce that Rezonate has been named a 2023 'Cool Vendor' by Gartner Identity-First Security report. We believe that this is a significant milestone in our journey to build an identity-centric security platform to protect user and machine identities and their access privileges all across their access journey to cloud-native resources and critical SaaS Applications.  The rise in cloudification and SaaSification of things has consequently increased the volume and complexity of identities, their privileges, and activities, with that, the challenge of preventing and stopping access-based attacks. A new paradigm is necessary in this dynamic and distributed construction of the digital world. A paradigm that puts the defender a step ahead, exerting greater control than the adversaries. A paradigm that doesn't isolate applications and cloud services but instead views and orchestrates an identity in its entirety across its access journey with accumulated privileges and security controls, automating security posture enhancements, threat detection and response, and compliance requirements. The Magic of faster and more robust identity security adaptation lies back in the interdependencies between these 3 parts of the security missions, which cannot be done separately anymore and should Resonate together with the business cycle. This is our rai·son d'ê·tre, reason of existence - to make the rapid building, securing, and threat elimination Rezonate, which makes defenders much more powerful and successful vs. eliminating adversarial opportunities to compromise identities and breach organizations. At Rezonate, we believe from day zero that identities are the new core of security in the shared security model of cloud and SaaS. Our platform is built from the ground up to provide real-time visibility to identity's full access journey across clouds, SaaS, and identity providers. We aim to continuously fortify identity posture, reducing its susceptibility to compromises and defending against cyber attacks in real-time. This approach has enabled our customers to understand better, solve, and protect their assets. Congrats to all our customers, partners and of course the Rezonators all over the world. Let’s go! Join the revolution today and use Rezonate to mature your IAM Program and stop the next identity breach.  Rezonate was named as a Cool Vendor in the 2023 Gartner® Cool Vendors™ in Identity-First Security report.  “Gartner defines “identity-first security” as an approach to security design that makes identity-based controls the foundational element of an organization’s protection, detection and response architecture. It marks a fundamental shift from the perimeter-based controls that have become obsolete because of the decentralization of assets, users and devices. The focus of identity-first security is on the three C’s — Consistent, Contextual and Continuous — which marks a fundamental shift from perimeter-based, static controls toward dynamic ones.” Unique to Rezonate is our platform's ability to continually discover permissions based on identities' privileges and activities, identify weak spots and risky behaviors, and enable remediation playbooks. Rezonate offers a window to your entire ecosystem, extending to SaaS applications, identity providers, and native cloud. We believe this Gartner recognition is a significant milestone for us at Rezonate. We remain steadfast in our commitment to providing an all-encompassing identity-first security platform that continually strengthens security posture, empowers robust defense, and enables effective remediation. Thank you for helping us shape the space and redefine the way identity security should be done in the age of cloud and SaaS, and thank you to our customers, partners, and the awesome rezonators worldwide. This is only day one! Let’s go! Gartner, Cool Vendors in Identity-First Security, By Brian Guthrie, Robertson Pimentel, Henrique Teixeira, Michael Kelley, Felix Gaehtgens, Erik Wahlstrom, Rebecca Archambault, Published 6 September 2023 Gartner Disclaimer GARTNER is a registered trademark and service mark of Gartner, Inc. and/or its affiliates in the U.S. and internationally, and COOL VENDORS is a registered trademark of Gartner, Inc. and/or its affiliates and are used herein with permission. All rights reserved. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Read More
TX GROUP Case Study

TX Group: Eliminating cloud identity risk with Rezonate

Success for Switzerland’s largest international private media company means always staying ahead of the digital curve – and security is no exception. Rezonate makes this possible. “With Rezonate our DevOps and security teams are now enabled to work hand-in-hand and understand the complete identity story - across our IdP and cloud infrastructure. We reduce manual workload, increase productivity and eventually reduce the time to remediate critical risks.” Andreas Schneider, former Group CISO and Olivier Martinet, current Group CISO for TX Group The Challenge: Finding and Fixing Identity ‘Blind Spots’ – Fast Speed is of the essence in the media industry: news happens fast, and it’s imperative to deliver – and secure – it rapidly, as well.  Detecting identity issues and compromises in this complex environment, Schneider says, was like finding the proverbial “needle in a haystack.” He used several different tools to try to uncover every vulnerability, but he knew that he wasn’t seeing the complete exposure map. But finding and closing the identity and access management gaps seemed nearly impossible. AWS’s own insight tools proved difficult even for the engineers to use. So Schneider sought help – and found it in Rezonate. “We had blind spots. There were things we didn’t really think about. We check configuration, for example, but do we check privileges? If a vendor says they need access to something, it is a real challenge to continuously validate need and actual usage.”  The Solution: A team approach that really works Schneider chose Rezonate to handle TX Group’s  identity management for a number of reasons:  Real problem solving.  Rezonate sees the extent to which identities use their access privileges so TX Group can revoke  access to unused resources and applications – the “least privilege” approach.  “I don’t know of any other technology that does this. Rezonate alone could give us real-time visibility into our cloud accounts as well as guidance for quick response. We now know exactly what’s going on and where, every moment.” Rapid response. TX Group can now spot risky accounts and mitigate them with ease using Rezonate, and its security and DevOps teams can work together to resolve the identity and access issues that are so common in the cloud — without slowing or stopping operations. Rezonate accomplishes this feat via its Identity Storyline™, the brains behind the Rezonate platform. Identity Storyline simplifies complex identity and access problems and provides clear guidance on how to resolve them.Now, using Rezonate, TX Group can quickly see, in context, each identity’s behaviors in the cloud – past as well as present – and know which might increase its risk of breach, as well as how to best remediate.Identity Storyline goes beyond static dashboards to answer the dynamic questions that need always-current answers such as Where are our blind spots? Where have identities changed or deviated from patterns of behavior? Where are our active threats? “Without Rezonate, we would not be able to see these kinds of suspicious activities on all our identity providers and cloud accounts. Before, we were seeing just minor parts of our  identity and access risk. We now have the complete picture, and can make decisions with confidence.” User-readiness. The Rezonate platform software is up and running and ready to use in minutes. “Rezonate takes zero trust to the next level. Rezonate is, for me, the one-stop shop security tool for protecting our identities in the correct way – for identifying and remediating threats.” The Outcomes: A full and complete view of identities, access, and privileges via Rezonate’s Identity Storyline™ – leveling up “zero trust” security for the cloud Faster time from risk discovery to risk remediation – from days or weeks to minutes Reduced workload for DevOps and security teams as automation handles detection and remediation before risks become threats Greater productivity as DevOps works hand-in-hand with security  to safely design, create, and deploy Optimized access permissions, ensuring a “least privileges” approach Proactive, prioritized responses to risk and threats
Read More
Top 10 Enterprise Identity Management Software Solutions 

Top 10 Enterprise Identity Management Software Solutions 

Like a Swiss watch, your organization has hundreds, if not thousands, of moving parts. Each employee accesses a multitude of different documents, systems, and software every day, and they probably rely on their colleagues to make this happen.  The global market for Enterprise Identity Management Software Solutions is booming, with a value of $20.75 billion – and this is just a sign of things to come in this industry. There are so many vendor options, each one with different features, and choosing the right tool for your organization can feel like searching for a needle in a haystack. Since we live in an era where cyberattacks dominate the digital world (and the headlines), choosing a vendor isn’t a decision to take lightly.  What are Enterprise Identity Management Software Solutions? Enterprise Identity Management Software Solutions, commonly known as IAM (Identity and Access Management), provide tools, policies, and processes designed to manage and secure digital identities within your organization. These solutions ensure that the right people have access to sensitive data and applications at the right times, all while upholding security and compliance standards.  IAM systems can handle a range of critical functions, including user authentication, authorization, and user provisioning. They're instrumental in managing digital identities, allowing employees and customers to access information and applications efficiently and securely. Benefits of Enterprise Identity Management Software Solutions Enhanced security: Authenticate and authorize users, protecting sensitive data and applications. Efficient onboarding and offboarding: Reduce administrative workload, granting new employees access swiftly and revoking access for departing staff. Visibility and privilege control: Gain clear visibility into user access paths and changes in privileges for audits, regulatory compliance, and early detection of potential security risks. Source Key Features to Look For in an Enterprise Identity Management Software Solution Multi-factor authentication (MFA) significantly enhances security by adding an extra layer of protection beyond just passwords. User self-service portals allow users to manage their accounts, reset passwords, and request access. Role-based access control (RBAC) assigns access permissions based on job roles. Single sign-on (SSO) provides one set of login credentials per user to access all services. Test to ensure seamless integration and deployment with your existing technology stack. How to Choose an Enterprise Identity Management Software Solution Here are some key aspects to weigh up when evaluating IAM solutions. Look for a solution that can grow and scale with your organization's needs. Consider the level of support and maintenance services offered by the solution provider. Calculate the total cost of ownership, including licenses, installation, and continuous maintenance. Look for a user-friendly interface. Check the vendor’s support for security features like MFA and encryption. Top 10 Enterprise Identity Management Software Solutions  1. Okta  Source Okta is an identity management tool that allows you to customize and configure policies to match your unique requirements. See our recent blog for Okta Security best practices and essential tips.  Key features: Universal Directory feature is a centralized store for user profiles and identity data. Maintains a competitive pricing structure suitable for both large and small businesses. Adaptive authentication function assesses the risk associated with each login attempt based on user location, device, network, and behavior, providing enhanced security. Best for: Building customizable authentication and authorization services for your applications. Price: Enterprise pricing is by inquiry.  Review: “Okta can hold up multiple applications and serve as a one-stop shop, as you can access all these tools by logging in to one application.” 2. Rezonate If you’re in the market for identity management software, you’ll likely need to manage your identity posture and protect against identity threats too. Rezonate is a radically simple identity security platform that provides end-to-end coverage and visibility of all access, from the creation time to the last active session and activity performed.  Key features: Easy one-click deployment gets you set up within 15-60 mins for large organizations. Simple and highly scalable. Gives you complete visibility over accounts, assets, and identity levels. Real-time risk scores help your teams learn and recognize security gaps. Proactively enforces a real-world least privileged access.  Detects malicious impersonating, access rights, and excessive privileges before damage occurs.  Best for: Continuous protection, end-to-end visibility, and risk prioritization.  Price: Contact Rezonate customer support for pricing details.  Review: “Our DevOps team uses Rezonate daily to understand context and prioritize critical risks. We are now 10X faster and more effective in remediating security gaps.” 3. Microsoft Entra ID (previously called Azure AD)  Source Microsoft Entra seamlessly integrates with Microsoft software products, providing additional authentication elements beyond passwords, such as SMS codes, phone calls, mobile app notifications, and biometrics. See our recent blog on Azure Active Directory threat hunting techniques for help setting up and using Azure AD.  Key features: Password synchronization. Customizable single sign-on (SSO) portals for each user. Authentication support for on-premises applications Supports MFA.  Best for: Organizations that utilize Microsoft services such as Office 365 and Azure. Price: Microsoft Entra offers four pricing plans: Free, P1 ($6 user/month), P2 ($9 user/month), and Governance ($7 user/month).  Review: “It adds a strong layer of security when accessing my Microsoft account and apps, especially when working from home.” 4. CyberArk Identity Security  Source CyberArk is a comprehensive identity management toolkit, including privileged access, secrets management, endpoint privilege security, cloud privilege security, and workforce and customer access.  Key features: Supports JIT access capabilities, enabling temporary and time-bound access to privileged accounts. Facilitates the monitoring and recording of privileged user sessions. Integrated behavior analytics that generate alerts and access adjustments when abnormal activities are detected.  Best for: Offers self-hosting options that give you greater autonomy over your security environment. Price: Free trial, then pricing depends on your chosen features. For example, CyberArk Adaptive MFA will cost you $3 per user/month.  Review: “The best thing about it is their tools are user-friendly.” 5. SailPoint Source SailPoint is purpose-built for today's enterprise demands as it supports both on-premise and cloud deployment options. Key features: Identity governance capabilities allow you to manage user identities, roles, entitlements, and access controls effectively.  Provides full identity lifecycle management capabilities, covering the entire spectrum from user onboarding to user offboarding. Access resources easily through user-friendly self-service portals. Best for: Backend customization.  Price: By inquiry. Review: “We can have a complete hand on backend code so we can manipulate the Workflow and rules and customize our requirements.” 6. Ping Identity  Source You can easily integrate Ping Identity with other products (PingFederate, PingID, and PingCentral) from the Ping portfolio to build custom IAM solutions for your organization.  Key features: Supports SSO and passwordless sign-on. Supports MFA. Secure user authentication. Adaptive authentication assesses the risk associated with each login attempt. Efficient user life cycle management to connect any user to any asset. Best for: Integration and interoperability with other Ping products.   Price: By inquiry.  Review: “Ping Identity provides 2FA security from unauthorized access to the account even if the password is compromised.” 7. Slauth Source Slauth.io is an AWS IAM policy creation software that simplifies the implementation of least privilege in your AWS environment. It will be available on GCP and Azure in the near future.  Key features: Tracks identity activity via real-time API calls from end-to-end tests to AWS. Generates custom IAM roles to suit your company’s infrastructure requirements within minutes.  Provides complete visibility of your identity activity through logs placed throughout different SDLC stages. Best for: An alternative to AWS console and Access Analyzer.  Price: By inquiry.  Review: “Slauth enables teams to focus on delivery and eliminate security risks by automating IAM policy creation. Less to worry about, more to deliver!” 8. IBM Security Identity Manager  Source IBM Security Identity Manager has built-in governance capabilities through the IBM Security Identity Governance (SIG) adapter. The dashboard is almost entirely customizable to suit you.  Key features: Provides adaptable MFA options and SSO support. Configuration wizard feature helps you with deployment and setup.  Self-service password reset and password synchronization. Advanced analysis and diagnostics for reporting and monitoring capabilities.  Best for: Enforcing complex compliance requirements at scale.  Price: By inquiry.  Review: “It has been an integral part of our infrastructure and that of our clients for many years, providing an extra layer of authentication and authorization for mission-critical software.” 9. Auth0  Source Auth0 is a flexible, drop-in solution to add authentication and authorization to your applications. It helps you avoid unnecessary costs, time, and risks of building your own authentication mechanisms. Key features: Designed with customer UX in mind.  Integrates with popular social identity providers like Google, Facebook, Twitter, and LinkedIn. Offers adaptable MFA options. Best for: Authentication and authorization for mobile applications. Price: Offers four plans: Free, Professional ($240/month), and two Essentials plans ($23/month and $130/month). Review: “Its Multi-Factor Authentication (MFA) and anomaly detection work pretty well.” 10. JumpCloud  Source JumpCloud is a directory platform that provides a variety of identity features like authenticating, authorizing, and managing users, devices, and applications in line with the Zero Trust Model.  Key features: Open directory platform unifies your technology stack across identity, access, and device management. Serves as a centralized cloud-based directory service, the primary point of contact for user IDs, groups, and organizational units. Supports SSO.  Supports passwordless authentication. Best for: Central management of users’ SSO connections.  Price: Offers a free plan and a La Carte plan for $2/user/month. Review: “One of the most valuable aspects is the seamless control over user access and permissions.” Radically Simple and Automated IAM Choosing the right identity and Access Management (IAM) solution is critical to protect your digital assets against evolving cyber threats. Out of the ten solutions, Rezonate stands out because it can connect to every cloud environment and provide a complete picture of cross-cloud identity and access risks.  Rezonate’s Storyline feature profiles identities for total visibility over permissions, access paths, and activity patterns, plus Rezonate’s Adaptive Access engine secures powerful permissions with conditional access and optimized security controls. Get started and book a demo today.
Read More
See Rezonate in Action

Eliminate Attacker’s Opportunity To Breach Your Cloud today

Organizations worldwide use Rezonate to protect their most precious assets. Contact us now, and join them.