Monitor login failure messages from expired known user accounts. If users are not part of the organization, we recommend investigating any other received authentication messages.Active Directory is a well-known technology used in several organizations for authentication, authorization, network access and identity lifecycle management. Users, applications, IoT devices, and other essential network connections use AD every time they access an enterprise's systems. Hence it is one of the popular targets for malicious actors, as compromising a single Active Directory gives them access to the company's entire digital infrastructure. The Azure AD is a powerful tool to simplify access management in the cloud; however, it has a much bigger threat landscape.
Suspicious admin activities in Azure AD
Monitor any attempts to reset the administrator passwords, reassign roles, contributor access and registration of the applications. An attempt to change group membership or customize roles in the Azure in combination with password reset can indicate malicious activity. Monitor any usage or creation or personal access token of the privileged users.
Known suspcicious IP addresses
Block and monitor any login attempts from known malicious IP addresses. Microsoft and other monitoring solutions publish the lists regularly. Enforce conditional access on the unknown VPN access.
Login Failure from Disabled Account
If a user is not part of the organisation anymore, it is crucial to monitor authentication messages received from the same user.
Login Failure from Expired Account
Monitor login failure messages from expired known user accounts. If users are not part of the organization, we recommend investigating any other received authentication messages.
Insider Threats alerts
Monitor for abnormal activities from users, including terminated and leaving employees
Brute Force attempts
Monitor repeated access attempts to a system using multiple accounts and passwords. For Azure AD, monitor delayed login attempts for an ID from different IP addresses or multiple IDs from the same IP address.
Password Ageing exceptions
It is important to monitor if there are ageing passwords users and exceptions. Typically, organisations impose password policies that expire after every X number of days.
Usage of dormant accounts
Monitor the events from accounts that have been dormant for the last 90 days at least.
Unauthorized or unapproved access.
Monitor for events that result in addition, deletion, and modification of credentials, user IDs, and other identifier objects.
EventID: 4720 – User Creation
EventID: 4726 – User Deletion
EventID: 5136 – User Details modification