General
This rule compares login attempts in Entra ID with the data in your MISP source. If a login attempt is detected from an IP address that is known in MISP, an alarm is raised.
Rationale
The MISP source serves as a repository of indicators that indicate malicious behavior. Such details are obtained from research into previous attacks on other organizations. Exchanging that data ensures that new similar attacks are detected in a timely manner. By mixing the data with logs in the Microsoft tenant, detection is active and Attic helps with rapid incident handling.
Attic currently supports the following MISP sources:
Z-CERT | IBD from VNG | FERM Rotterdam |
Use of these sources is only permitted for the intended target group, which Attic will validate per customer.
Attic Fix
A Fix is available for this detection that blocks the account in question. It is recommended to perform this Fix if the login attempt was successful.
This action ensures that no further damage can occur, but it is advisable to perform follow-up research into what the account has done since the login attempt.
If you have an IR Strippenkaart, please contact our experts to perform the follow-up research.
Manual follow-up
Perform these steps to adequately follow up on this detection:
- Open the Entra admin portal https://entra.microsoft.com
- Under Identity and Monitoring & Health and then Sign-in logs
- Find the log entry from the Attic alarm
- Investigate the login attempt and only if it can be determined that the alarm is a false positive:
- Block the user account
- Reset the password and revoke logged-in sessions
- Investigate the account for suspicious behavior or changed authentication methods and suspicious App Consents. Zolder can assist with this.
- Only when the account is free for use again, enable it again.
Comments
0 comments
Please sign in to leave a comment.