Detecting Security Incidents with Microsoft Entra ID Auditing. Understanding the core functions and potential threats related to Microsoft Entra ID environment is essential for maintaining robust security measures. One of the fundamental tools in this quest is the Audit log, a repository of historical records capturing user activities within the organization. This article shows aspects of Microsoft Entra ID Audit logs, its role in threat detection, and the incident responding best practices.
Well, let’s continue this article title Detecting Security Incidents with Microsoft Entra ID Auditing to find more below.
What is Microsoft Entra ID Audit Log?
User behaviour in Microsoft Entra ID is monitored using Activity logs. They include three log types – Sign-in Logs, Provisioning Logs and Audit Logs. Audit logs accurately record the history of all tasks executed within your tenant, offering a detailed account of actions taken. Included in all editions of Microsoft Entra ID (even the free one) and designed to capture modifications to applications, groups, users, and licenses.
Audit log (as well as other activity logs) are accessed in various ways. Simplest way is to open Microsoft Entra admin center using account that has the necessary permissions and navigate to Monitoring & health > Audit logs.
Roles that can access the Audit Logs
- Reports Reader
- Security Reader
- Security Administrator
- Global Reader
Here you see the list of log entries, which can be exported or filtered to return the needed information. By default, in this view you see the below information.
Default (list) view of logs includes:
- Date / time of the event.
- Service that logged the event.
- What was done.
- Was the change successful.
- Which object was modified.
- Who initiated the change.
Select any entry to view the detailed information. The Audit Log Details window contains three tabs – Activity, Target(s) and Modified Properties, each provides the relevant information.
Additionally, you can see the logs using Get-AzureADAuditDirectoryLogs cmdlet (part of AzureADPreview PowerShell module) or using Microsoft Graph API (details are found in Access logs with Microsoft Graph API.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
What Threats Can Be Detected in Microsoft Entra ID Audit?
Audit Logs play an important role in detecting and mitigating various security threats in your Microsoft Entra ID environment. Here are some examples of threats that can be detected using Audit Logs.
Account Compromise
The most important threat that is identified using Audit logs. Changes to user accounts, password resets, or modifications to group memberships that were not initiated by the account owner may suggest a compromised account.
Role Escalation
Unauthorized changes to user roles and permissions, especially administrative roles, are detected. For example, if a regular user gains elevated privileges without proper authorization. This kind of events may mean malicious action. Accident modifying of users’ permission or ignoring of the change management process (which is a non-compliance with the security standards).
Group Membership Changes
Changes to group memberships can be monitored to detect unauthorized modifications or additions. Usually, groups in Microsoft Entra ID are used to regulate access to certain data (e.g. in OneDrive for Business), therefore, this event is considered as an attempt to get unauthorized access to the data.
Configuration Changes
Monitoring changes to Microsoft Entra ID configurations, policies, or security settings helps to identify potential security risks introduced by configuration modifications.
Malicious Application Activities
Unusual behavior or configuration changes related to applications may indicate malicious activities. Changing to the applications registered in Microsoft Entra ID and the permissions provided to the service principals used by applications are also monitored to prevent unauthorized access by applications.
User Deletion or Suspension
Unexpected deletions or suspensions of user accounts, particularly those with elevated privileges, could be a sign of malicious activity.
License Assignment
Detection of instances where licenses are assigned to users without proper authorization or outside the established processes may identify the policy violations and ignoring of license assignment procedures.
How to Detect Threats Using the Auditing?
To utilize the log records effectively, integration with monitoring tool is required. Microsoft Entra ID Audit logs can be integrated with both third-party monitoring tools and tools built into Azure (such as Azure Monitoring and Microsoft Sentinel).
Benefit of integration with Monitoring Tools
- Enhanced Security Monitoring: By integrating audit logs with monitoring tools, you gain real-time visibility into user and system activities. This allows for proactive identification of suspicious behaviour or security incidents, enabling timely response and mitigation.
- Centralized Management: Integration consolidates Microsoft Entra ID audit logs with other monitoring data, creating a centralized view of your environment. This simplifies management, analysis, and correlation of information, leading to better insights into user activities across various systems.
- Anomaly Detection and Alerting: By leveraging monitoring tools, you set up alerts based on specific audit log events or unusual patterns, allowing prompt detection of anomalies or potential security threats. If you decide to use Azure Monitor for this purpose, select from various notification methods, such as email, SMS and push notifications.
- Enhanced Incident Response: Integrated monitoring tools enable faster incident response by offering detailed insights into the sequence of events. This aids in post-incident investigations and forensics, facilitating better understanding and resolution of security issues.
Additionally, monitoring tools combined with Microsoft Entra ID audit logs help in meeting compliance requirements by providing detailed records of user actions. It aids in fulfilling audit requests and ensuring adherence to regulatory standards.
By default, audit logs are stored for 7 days for Microsoft Entra ID Free subscription, and for 30 days for other subscriptions (more details here).But, utilizing of external tools for the logs’ retention (usually this functionality is built-in to monitoring tools) is required.
To parse logs during the investigation, you may require to use querying capabilities of the tool you used to aggregate the logs. For example, if you used Azure Monitor or Azure Sentinel for this purpose, utilize the Kusto Query Language (KQL). Therefore, teaching the responsible personnel how to use KQL should be the part of the tool implementation.
How to Respond to the Incidents?
Now with Detecting Security Incidents with Microsoft Entra ID Auditing when there is a detection of an incident using Microsoft Entra ID Audit log, please follow the incident response plan. It usually consists of several steps. Example of the incident plan is provided below.
1. Investigation and Prioritization
- Review Logs: Analyze the Microsoft Entra ID Audit Logs to understand the scope and nature of the incident. Look for patterns, anomalies, and details related to the suspicious activities, perform the timeline analysis.
- Correlate Data: Correlate information from Microsoft Entra ID Audit Logs with logs from other sources, if available. Such as Microsoft Entra ID logs (such as Sign-in logs), logs from the affected applications, or information from security information and event management system. Additionally, Microsoft Entra integrates with the user provisioning automation systems, which need to be checked as well. The more information is collected, the easier it is to identify the root cause.
- Prioritize the incident: Offer background information to the responsible team, aiding them in prioritizing incidents by considering alert severity. For example, if during investigation some privileged account was compromised – it should be considered as a high-priority incident, while incidents with policy incompliance (like assignment of a license without the proper authorization) could have lower priority.
2. Containment and Eradication
- Disable Affected Accounts: Microsoft Entra ID Audit primarily deals with identity-related activities, such as user sign-ins, role assignments, and license changes. Responses need to focus on securing and managing identities effectively. Therefore, if user account compromise is suspected, consider disabling of the account temporarily to prevent further unauthorized access.
- Adjust Permissions: Review and adjust permissions, especially if there’s evidence of unauthorized role escalation or changes in group memberships.
- Remove Malicious Artifacts: Identify and remove any malicious artifacts introduced during the incident, such as unauthorized accounts, configurations, or applications.
- Notify Stakeholders: Keep relevant stakeholders informed about the incident, especially if it involves sensitive data or has the potential to impact operations.
3. Recovery
- Restore Services: If services or resources were affected, work on restoring them to normal operation.
- Review and Enhance Security Controls: Evaluate the security controls that failed to prevent the incident and consider enhancing them. This may involve adjusting policies, configurations, or implementing additional security measures. For example, if user credentials were compromised, password policies and the usage multi-factor authentication must be enhanced. Additionally, leveraging built-in security features of Microsoft Entra ID, such as Conditional Access policies, Identity Protection, and Security Defaults, may be part of the response strategy.
- Update Credentials: Change the affected credentials (such as user passwords or service principal secrets), if any.
- Legal and Compliance Considerations: Adhere to legal and regulatory requirements regarding incident reporting and notification.
4. Post-Incident Actions
- Root Cause Analysis: Conduct a thorough analysis of the incident to determine the root cause and identify lessons learned.
- Documentation: Document the incident response process, actions taken, and recommendations for reducing probability of repeating of the incident and improving future incident response. Update the existing Incident Response Plan if needed.
- Training and Awareness: Provide additional training for staff to enhance awareness of security best practices and potential threats.
It is important to remember that incident response is an ongoing process, and continuous improvement is essential to adapting to evolving threats. Regularly review and update your incident response plan based on emerging risks and experiences gained from incident handling. Additionally, collaborating with relevant stakeholders and external cybersecurity experts provides valuable insights and assistance during incident response efforts.
Hope, our article Detecting Security Incidents with Microsoft Entra ID Auditing added to your knowledge. Let’s conclude.
Responding to Security Incidents with Microsoft Entra ID Auditing Conclusion
Audit Logs, as a part of Microsoft Entra ID activity logs, act as the eyes and ears, meticulously documenting user actions and system changes, enabling the detection of potential vulnerabilities and threats. However, their true power comes to light when integrated with robust monitoring tools, elevating security measures by offering real-time insights, anomaly detection, and centralized management. Embracing a proactive approach to threat detection and incident response, while continually refining incident handling protocols, is imperative for fortifying your defences against the cyber threats.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool
- Free 15-Days Trial
- SaaS AD Reporting & Auditing Solution
