There are many tools available to investigate security related events in Microsoft cloud ecosystem depending on how environment is configured, which components has been enabled and which licenses are in use.
If Azure AD Identity Protection is used in your environment strong recommendation from my side is to upgrade Azure Security Center (ASC) to standard tier and integrate Azure AD Identity Protection to ASC.
In this blog I use Azure Security Center, Activity Logs, Log Analytics, Cloud App Security and Security Graph to find out what’s happening underneath the hood.
Licensed used in my scenario were EMS E5 and O365 E5. With EMS E5 I will get Azure Identity Protection and with O365 E5 I get Microsoft Cloud App Security.
As said, when Azure AD Identity Protection (IP) is in use and ASC upgraded to standard tier ASC automatically detects AAD IP. With AAD IP you can receive identity related alerts such as:
- Leaked credentials
- Impossible travel atypical locations
- Sing-ins from anonymous IP-addresses (Tor networks etc)
- Sign-ins from IP addresses with suspicious activity
Open Azure Security Center, Security solutions and select connect
Select Log Analytics Workspace where to send events and “Connect” from bottom left corner
Integration event from Azure Activity log, datasource is Azure AD Identity Protection
And that’s it. After this integration all security events from Identity Protection are found from:
- Azure Security Center Threat Protection section
- Azure Activity Logs which can be integrated to SIEM via Event Hub
- Azure AD Identity Protection console (also without integration)
- Microsoft Security Graph (also without integration)
- Microsoft Cloud App Security (also without integration)
Find Security Alert Related Events
I created simulated attack via Tor browser and changed identity multiple times. After 5min found alert from ASC Threat protection section
Identity used was firstname.lastname@example.org
Digging to first of those event, timeframe 22.2.2019 9:11:06.
Selected the event and received basic information from the event. In cases where more investigation is needed select “Continue investigation” from the bottom left corner.
At next page you can drill down to event details or browse information from the Log Analytics Workspaces. How cool is that 🙂
Azure Security Center alerts are sent via REST API to Azure Activity Log integrator. If SIEM system is in use Azure subscription monitoring data (Azure Activity log) can integrated via Event Hub to SIEM system.
Azure Activity log shows alerts from ASC
Same event at Microsoft Cloud App Security which gives the most extensive information of the alert as seen below
A failed login was detected from a Tor IP address
The Tor IP address 126.96.36.199 was used by CAS Demo (email@example.com).
Additional risks in this user session:
- This user was not active for 241 days.
- Office 365 was used for the first time in 241 days by this user.
- ISP The Calyx Institute was used for the first time in 330 days in your organization.
- Operating system Windows was used for the first time in 330 days by this user.
- User agent Firefox was used for the first time in 241 days in your organization.
And last but not least, Alert at Microsoft Security Graph. As seen below the provider of this event is “IPC” and I didn’t found explanation what this is but my best guess is that this is from Azure AD Identity Protection.
Until next time!