Azure AD High-Risk Sign-in Detection
Detection of high-risk Azure Active Directory sign-in attempts, identified by Azure Identity Protection, indicating potentially compromised accounts and unauthorized access to sensitive resources.
This analytic focuses on identifying potentially compromised user accounts within Azure Active Directory (Azure AD). It leverages Azure Identity Protection's risk assessment capabilities to detect high-risk sign-in attempts. These attempts are flagged by Azure's heuristics and machine learning algorithms. The detection utilizes the RiskyUsers and UserRiskEvents log categories from Azure AD, which are typically ingested through an Event Hub. The Splunk Add-on for Microsoft Cloud Services is required. Successful exploitation can lead to unauthorized access to sensitive data, system compromise, and further malicious activities within the Azure environment. This detection helps security teams identify and respond to account compromise incidents proactively.
Attack Chain
- Initial Access: The attacker gains initial access to a valid Azure AD username and password through various means, such as credential harvesting or password spraying (T1110.003).
- Password Spraying: The attacker attempts to authenticate to Azure AD using a list of common passwords against multiple user accounts (T1110.003).
- MFA Fatigue: If MFA is enabled, the attacker attempts to overwhelm the user with MFA prompts until they accept one.
- Authentication: The attacker successfully authenticates to Azure AD as a legitimate user. This authentication is flagged as high-risk by Azure Identity Protection based on factors such as location, device, or frequency of access.
- Privilege Escalation (Conditional): The attacker may attempt to elevate their privileges within Azure AD or associated resources to gain broader access.
- Data Access: Once authenticated, the attacker attempts to access sensitive data or resources within the Azure environment.
- Lateral Movement (Conditional): The attacker may attempt to move laterally to other systems or applications within the organization's network.
- Exfiltration/Impact: The attacker exfiltrates sensitive data or causes other damage, such as deleting resources or disrupting services.
Impact
A successful attack can result in significant data breaches, financial losses, and reputational damage. The number of affected users and the scope of the breach depend on the attacker's access level and the sensitivity of the compromised data. Organizations across all sectors that rely on Azure Active Directory are potentially at risk. If successful, attackers can gain persistent access to cloud resources, compromise critical business applications, and disrupt operations.
Recommendation
- Ensure the Splunk Add-on for Microsoft Cloud Services is installed and properly configured to ingest Azure Active Directory logs, specifically the
RiskyUsersandUserRiskEventslog categories, as mentioned in the documentation. - Deploy the provided Sigma rule
Azure AD High-Risk Sign-in Detectedto identify high-risk sign-in attempts in your SIEM environment. - Investigate and remediate any alerts generated by the Sigma rule, prioritizing users identified as high-risk by Azure Identity Protection.
- Implement and enforce multi-factor authentication (MFA) for all users to mitigate the risk of password-based attacks.
- Monitor user activity for suspicious behavior, such as access to unusual resources or activities outside of normal working hours.
Detection coverage 2
Azure AD High-Risk Sign-in Detected
highDetects high-risk sign-in attempts in Azure Active Directory as identified by Azure Identity Protection.
Azure AD Sign-in from Unusual Location (based on Risk Event)
mediumDetects sign-in attempts from unusual locations based on Azure Identity Protection risk event logs.
Detection queries are available on the platform. Get full rules →