Entra ID Auditing Insider Threats: Detect Anomalous User Behaviour. What, if the user credentials were stolen and the malicious actors successfully pass authentication and authorization? In this case, all the data that is accessible by the compromised credentials are at risk of an Insider Threat. To protect against such threats, enterprises usually use Insider Threat Detection systems. In Azure environment, a tool called Microsoft Entra ID Protection is used for this purpose – it detects the anomalous behaviour and sends risk signals to other tools, such as Conditional Access, that is used to remediate the risks.
Would you like to find out more about Entra ID Auditing Insider Threats: Detect Anomalous User Behaviour? Let’s go!
What is Anomalous User Behaviour?
Examples of Risk Detections
Unfamiliar sign-in Properties
Geography based risks
Detects the risks based on the location from which login attempt is performed. Includes the following risks:
- Atypical travel – the risk is identified when there are 2 or more sign-ins detected from the different geographical locations, not usually used by the user. To recognize this risk, Microsoft Entra ID Protection learns the previous logins performed using this user account to exclude the false positive triggering such as regular locations used by the user and the use VPN connections.
- New country – the risk detected based on the past activity locations to determine new locations. It also takes into the consideration the locations used by other users within the organization.
Suspicious browser sessions
Indicates suspicious sign in activities related to the web browser. For example – logins across multiple tenants from different countries in the same browser.
IP address-related risks
Risks identified based on the IP address used to login to the service. These risks include:
- Malicious IP address – IP address with high sign-in failure rates (failed authentication attempts).
- Anonymous IP address – an address owned by an anonymous proxy service (that replaces the original address of the user).
- Threat actor IP – sign activity from know IP address associated with cyber crime groups, based on Microsoft Threat Intelligence Center.
User reported Suspicious Activity
This risk detection is registered when a user reports a suspicious activity, for example, when they receive a multi factor authentication (MFA) prompt that they did not initiate.
Risk indicates that the user’s credentials (password hashes) have been leaked and available in Internet or dark web. Microsoft leaked credentials service continuously scanning websites where bad actors publish the stolen credentials. When it recognizes the hash of the user password from your tenant, the risk is registered. For this service to work, it needs to have the hashes of the passwords of user accounts, so it works only in two cases:
- For cloud users.
- For on-premises users in organizations with Microsoft Entra Connect configured to synchronize password hashes to the cloud.
Risks related to the activities of the signed-in user that are considered suspicious. For example, a user with the User Administrator role performs mass password changes for other user accounts.
Risk classifications used in Microsoft Entra ID
There are 2 types of risks – user risks and sign-in risks. User risks are related to the user account in general, without binding to some particular sign-in attempts, such as risk because of suspicious activity reported by user or because of identified leaked credentials. Sign-in risks are tied to some sign-in attempts, such as authentication requests from unusual location or from a hidden IP address.
Risks are divided according to the method of detection – real-time calculated risks and offline calculated risks. The risks that identified almost immediately (according to Microsoft, it takes 5-10 minutes for such risks to show up in the report), such as sign-in attempts with unfamiliar properties, are called real-time calculated risks. On the other hand, the risks that need more time to be identified (up to 48 hours), are referred as Offline calculated risks. Additionally, the risks can be divided to premium and non-premium risks. The premium ones, are only available for the subscriptions with Microsoft Entra ID P2 licenses. Those available for everyone else (including the Free subscription) are referred as non-premium risk detections, more details can be found here. In case you are not Microsoft Entra ID P2 customer and the premium risk was detected in your tenant, you only see the event with title Additional risk detected, without extra details.
Auditing for Insider Threat Detection
For the proper auditing for Insider Threat Detection performed by Microsoft Entra ID, you need to configure the notifications. The tool supports notifications via email messages and provides 2 types of reports – users at risk detected and weekly digest report.
"Users at risk detected" notifications
- To configure the users at risk detected go to Microsoft Entra Admin Center at https://entra.microsoft.com.
- Navigate to Protection > Identity Protection.
- Go to Users at risk detected alerts.
- Specify the recipients that have to receive notifications. Note, all users with assigned roles of Global Admin, Security Admin and Security Reader receive these notifications by default. Configure the risk level that should trigger the alert – Low, Medium or High, then press Save.
ID Protection categorizes detected risks into 3 levels: low, medium, and high. Risk level calculation is performed by the hidden algorithms. The higher the risk level the higher the confidence that the user or sign-on is compromised. By default, the alerts are enabled for high level risks only, you can adjust this setting if needed.
"Weekly Digest" notifications
- Back on the Identity Protection page, select Weekly Digest.
- Enable or disable the digest based on your requirements.
It is a good practice to visit the Identity Protection dashboard, to see the general information about the insider threat detection. It shows the infographics related to this security aspect.
Try our Active Directory & Office 365 Reporting & Auditing Tools
Try us out for Free. 100’s of report templates available. Easily customise your own reports on AD, Azure AD & Office 355.
Remediate the Threats
When the threat is detected, IT administrator shall perform the investigation and remediation actions. The action depends on the result of the investigation. The threat can be dismissed, user account blocked, or user may be forced to change the password or confirm their identity (for example, by providing an additional authentication factor).
To automate remediation of the detected threats, you need to configure risk-based conditional access policies. Microsoft Entra ID Protection forwards the identified risks to the Conditional Access, where you configure user risk and sign-in risk policies to specify which remediation actions are required to dismiss the risk. Before the creation of the policy, define the risk level that triggers the policy. The stricter the policy, the more often user interruptions are expected.
Create Risk based Conditional Access Policy
- To create a conditional access policy, go to Microsoft Entra Admin Center at https://entra.microsoft.com.
- Navigate to Protection > Conditional Access.
- In the appeared Conditional Access blade, select New Policy.
- In the Name field, enter the name of the policy. In the Assignments sections, select Users.
- In the Include section, select All users. In Exclude, specify your break glass account.
- In the Target resources section, select All cloud apps.
- In the Conditions, select User risk for the user risk-related policy, or Sign-in risk for sign-in risk-related policy. After, select the risk level that triggers the policy and select Done.
- In the Access Control section, go to Grant. Select Grant Access and also select the required remediation action. According to the article Configure and enable risk policies, Microsoft recommends using Require password change for user risk policies, and Require Microsoft Entra multi factor authentication for sign-in risk policies. Press Select.
- Go to the Session configuration, and in the appeared window enable Sign-in frequency checkbox and select Every time. Press Select, and press Create button.
Prior to enabling the policies, it is a good practice to communicate the end users, since their sign-in experience can be changed. In some cases, when users try to access the services, they can be asked to remediate the risks based on the configured policies. The detailed information about the expected sign-in interruptions can be found in article User experiences with Microsoft Entra ID Protection.
That is a wrap! Thank you for reading Entra ID Auditing Insider Threats: Detect Anomalous User Behaviour. Let’s summarize below.
Entra ID Auditing Insider Threats: Detect Anomalous User Behaviour Conclusion
Insider threats are fairly considered as one of the most dangerous types of threats. Therefore, the continuous monitoring and auditing of insider threat detection is crucial for many companies. Microsoft Entra contains the powerful tool for this purpose – ID Protection, which provides multifaceted approach to anomaly detection, classifying risks and feeding the collected information to other tools. It helps to identify the wide variety of anomalous user behavior, able to send notifications for immediate alerts and weekly digests to provide administrators with actionable insights to mitigate detected risks effectively. Coupled with the ability to automate remediation through Conditional Access policies, Entra ID Protection not only identifies threats but also empowers organizations to proactively respond to potential breaches.
Try InfraSOS for FREE
Try InfraSOS Active Directory, Azure AD & Office 365 Reporting & Auditing Tool