EntraID Cloud sync IR considerations - ToddMaxey/Technical-Documentation GitHub Wiki

Let's look into specific indicators and actions an Incident Responder would examine within the context of EntraID Cloud Connect's environment and operational characteristics.

Here’s an approach to identify a compromise and the expected EntraID/Azure audit logging in an EntraID Cloud Connect context:

Assessing Initial Access

  1. Application of Cloud Security Posture Management Tools:

    • Evaluation of Synchronization Settings: Regular audits of the synchronization logs should be implemented to detect any settings that diverge from the predefined best practices, such as excessively broad data scopes or faulty filtering processes, which might risk exposure of sensitive information.

    • Analysis of Service Principal Security: It is imperative to investigate the assigned permissions of service principals linked to EntraID Cloud Connect for any overprivileges or insufficient restrictions that could signify a misconfiguration issue.

Detecting Anomalies

  1. Monitoring Synchronization Patterns:

    • Look for anomalies in how data syncs, in terms of both frequency and volume. Unusual patterns could hint at unauthorized data movements or identity manipulation attempts.

  2. Surveillance of Administrative Activities:

    • It is essential to keep a vigilant eye on unanticipated or unauthorized administrative maneuvers within EntraID Cloud Connect, such as alterations to sync rules or the establishment of unsanctioned sync tasks.

Identifying Intrusions related to EntraID Cloud Connect

  1. Reinforcing Multi-Factor Authentication Protocols:

    • Investigating Sign-In Records: All failed sign-in attempts should be thoroughly reviewed, with particular attention to those bypassing multi-factor authentication mechanisms.

    • Scrutiny of MFA Configurations: Any modifications made to MFA settings that may dilute the security framework should be thoroughly investigated, as they could facilitate brute force assaults.

Uncovering Spoofing and Phishing Tactics

  1. Analyzing Conditional Access Logs:

    • Inconsistencies in Policy Enforcement: It is critical to explore any anomalies where conditional access policies do not engage as anticipated, potentially signifying manipulation or misconfiguration.

    • Reviewing Post-Policy Change Sign-Ins: Immediate sign-in activities following policy alterations need to be carefully scrutinized, as they may be indicative of targeted phishing campaigns seeking to exploit new vulnerabilities.

Probing for Tenant Compromises

  1. Conducting Role-Based Access Control Audits:

    • Auditing Role Assignments: It is vital to examine any unexpected role changes within EntraID Cloud Connect, particularly unauthorized access right upgrades.

    • Behavioral Role Usage Analysis: The use of EntraID-specific roles that deviate from established user patterns should raise flags for potential account compromises.

Investigating Data Exfiltration Attempts

  1. Monitoring Cloud Access Security Broker Activities:

    • Tracking Data Synchronization: It is important to scrutinize any synchronization of data to unanticipated Azure AD tenants or external directories, which might suggest attempts to illicitly relocate data.

    • Assessing Permissions Allocated Through Sync Tasks: Permissions that are extended through synchronization tasks warrant thorough inspection to ensure they do not facilitate unauthorized access.

In the realm of EntraID/Azure audit logging, one would anticipate discovering comprehensive logs that encapsulate the details of the activities described above. These would include synchronization logs, sign-in logs, logs of administrative actions, conditional access, role changes, and CASB logs, furnishing the requisite data to pinpoint any irregularities, unsanctioned access, or alterations that could be symptomatic of a security compromise.