October 24 , 2021

Monitoring Use Cases For Cloud- Active Directory

Monitor login failure messages from expired known user accounts. If users are not part of the organization, we recommend investigating any other received authentication messages.Active Directory is a well-known technology used in several organizations for authentication, authorization, network access and identity lifecycle management. Users, applications, IoT devices, and other essential network connections use AD every time they access an enterprise's systems. Hence it is one of the popular targets for malicious actors, as compromising a single Active Directory gives them access to the company's entire digital infrastructure. The Azure AD is a powerful tool to simplify access management in the cloud; however, it has a much bigger threat landscape.

Suspicious admin activities in Azure AD

Monitor any attempts to reset the administrator passwords, reassign roles, contributor access and registration of the applications. An attempt to change group membership or customize roles in the Azure in combination with password reset can indicate malicious activity. Monitor any usage or creation or personal access token of the privileged users.

Known suspcicious IP addresses

Block and monitor any login attempts from known malicious IP addresses. Microsoft and other monitoring solutions publish the lists regularly. Enforce conditional access on the unknown VPN access.

Login Failure from Disabled Account

If a user is not part of the organisation anymore, it is crucial to monitor authentication messages received from the same user.

Login Failure from Expired Account

Monitor login failure messages from expired known user accounts. If users are not part of the organization, we recommend investigating any other received authentication messages.

Insider Threats alerts

Monitor for abnormal activities from users, including terminated and leaving employees

Brute Force attempts

Monitor repeated access attempts to a system using multiple accounts and passwords. For Azure AD, monitor delayed login attempts for an ID from different IP addresses or multiple IDs from the same IP address.

Password Ageing exceptions

It is important to monitor if there are ageing passwords users and exceptions. Typically, organisations impose password policies that expire after every X number of days.

Usage of dormant accounts

Monitor the events from accounts that have been dormant for the last 90 days at least.

Unauthorized or unapproved access.

Monitor for events that result in addition, deletion, and modification of credentials, user IDs, and other identifier objects.

EventID: 4720 – User Creation
EventID: 4726 – User Deletion
EventID: 5136 – User Details modification

Guest Author
Mahipal

ACCESS OUR PUBLICATIONS

Decoding the Impact of AI on Data Privacy and Security in Today's Business Landscape

Explore the intricate relationship between artificial intelligence and data privacy and security with comprehensive guidance from Aristiun.

Demystifying AI Threat Modeling: Revolutionizing Cybersecurity in 2024

Dive into the world of AI threat modeling, explore its key components, and learn how its adoption is crucial to strengthening cybersecurity in organisations.

April 7, 2024

Exploring the Impact of Next-Generation AI Security Solutions in 2024

Discover the incredible impact of next-generation AI security solutions in reshaping the cybersecurity landscape in 2024. Read here to learn more!

Our products
Security Maturity Lifecycle Cloud Security PostureAutomated Threat ModelingASPM - Pipeline Security
Patents pending -> Europe - EP23020192.3, US IP 18135688, India - 202341029005
Copyright © 2024 Aristiun - All Rights Reserved.