Guide to Incident Response Investigations on Unauthorized Account Sign‐Ins in Microsoft Azure - ToddMaxey/Technical-Documentation GitHub Wiki

Guide to Incident Response Investigations on Unauthorized Account Sign-Ins in Microsoft Azure

===============================================================================================================

This guide provides a holistic, in-depth perspective on investigating unauthorized sign-ins in Microsoft Azure and Office resources. It places strong emphasis on both proactive and reactive strategies, particularly in relation to Conditional Access, Microsoft Defender security policies, and the MITRE ATT&CK® framework. By integrating these core pillars, the investigation process can more effectively block, detect, and prevent malicious activities targeting cloud-based assets.

1. Introduction

Modern adversaries often leverage stolen credentials, phishing attacks, and advanced evasion techniques to gain entry into cloud environments. In alignment with MITRE ATT&CK classifications, these threats predominantly map to Tactic TA0001: Initial Access (e.g., T1566: Phishing) and can later evolve into Tactic TA0003: Persistence or TA0008: Lateral Movement once an attacker infiltrates. Properly configured Conditional Access policies and Microsoft Defender security controls serve as foundational defenses that help detect and impede these threats throughout the chain of compromise.

2. Leveraging Conditional Access Policies

2.1 Overview and Purpose

Conditional Access combines signals—such as user and device risk levels, geographic locations, and device compliance status—to enforce real-time access decisions. This approach correlates with Tactic TA0001: Initial Access and Tactic TA0003: Persistence in MITRE ATT&CK, as misconfigured or missing policies may allow adversaries to maintain unauthorized access.

  1. Adaptive Policies Based on Risk

    • High-risk sign-ins (RiskLevel: High) can be blocked or subjected to additional Multi-Factor Authentication (MFA) checks.

    • Impossible travel scenarios detected via Microsoft Entra ID Identity Protection (impossible location sign-ins) trigger stricter enforcement.

  2. Blocking Legacy Authentication

    • Many legacy protocols (POP, IMAP, SMTP) do not support modern MFA. Attackers commonly exploit them for brute force attacks (T1110: Brute Force) or password spraying.

    • Conditional Access policies should restrict or disable these protocols to reduce exposure.

  3. Geolocation and Named Locations

    • Define trusted IP ranges and block high-risk geolocations.

    • In MITRE ATT&CK terms, this helps combat T1078: Valid Accounts, where compromised credentials are abused from unusual or malicious regions.

Practical Conditional Access Example

Policy Name: “Block High-Risk Sign-Ins” 

Assignments: 

  - Users: All (except break-glass accounts) 

Conditions: 

  - Risk Level: High 

Grant Controls: 

  - Block Access

Such policies proactively prevent adversaries—who have obtained credentials—from leveraging them in real-time.

3. Microsoft Defender Policies for Blocking and Detection

3.1 Microsoft Defender for Cloud Apps (formerly MCAS)

Why It Matters: Microsoft Defender for Cloud Apps (MDCA) furnishes granular visibility into user activities across multiple SaaS applications, correlating unusual sign-ins, impossible travel, and mass download events. It aligns with Tactic TA0006: Credential Access and Tactic TA0009: Collection in MITRE ATT&CK, where adversaries exfiltrate large volumes of data or harvest credentials via OAuth abuse.

  • Key Features

    • Alert on Unauthorized OAuth Grants: Attackers might register malicious applications to bypass MFA checks and maintain persistence (related to T1098: Account Manipulation).

    • Improbable Travel Detection: Identifies logins from different geographic regions within short timeframes.

    • Integration with Microsoft Entra ID: Correlates user risk, impossible travel, and suspicious sign-ins across Azure AD and third-party apps.

    MCASAlerts

    | where AlertCreationTime > ago(7d)

    | where AlertType contains "OAuth app" or AlertType contains "Impossible travel"

    | project AlertCreationTime, AlertName, Description, Severity, UserAccounts

    | order by AlertCreationTime desc

By associating MCAS alerts with sign-in anomalies, organizations can more effectively spot multi-vector attacks.

3.2 Microsoft Defender for Cloud (Azure Security Center)

Location: Microsoft Defender for Cloud → Security Policies

  • Provides security recommendations for virtual machines, storage, Key Vault, and other Azure resources, often mapping to TA0002: Execution or TA0003: Persistence within MITRE ATT&CK when an adversary modifies resource configurations for malicious persistence.

Security Alert Correlation

SecurityAlert 

| where TimeGenerated > ago(7d) 

| where ProviderName contains "IdentityProtection" 

| project TimeGenerated, AlertName, CompromisedEntity, Description, ReportedSeverity 

| order by TimeGenerated desc

Automated alerts from Defender for Cloud integrate with Azure AD Identity Protection signals, helping block or disrupt an attack as it unfolds (e.g., T1552: Unsecured Credentials in storage accounts).

4. Core Log Sources for Incident Investigation

While Conditional Access and Defender policies provide real-time blocking and alerting, deeper incident investigations require methodical log analysis:

4.1 Microsoft Entra ID Sign-In Logs

  • Maps to: T1078: Valid Accounts, T1110: Brute Force

  • Purpose: Track user attempts—successful, failed, or interrupted—and identify anomalies (impossible travel, atypical device usage).

    SigninLogs

    | where TimeGenerated > ago(7d)

    | where RiskState == "AtRisk" and RiskLevel == "High"

    | project TimeGenerated, UserPrincipalName, RiskDetail, RiskEventTypes, IPAddress, Location, DeviceDetail

    | order by TimeGenerated desc

4.2 Azure AD User Risk Detection

  • Maps to: T1087: Account Discovery

  • Location: Identity Protection → Risky Users

  • Purpose: Detects compromised credentials, including leaked or brute-forced credentials.

    IdentityProtectionEvents

    | where TimeGenerated > ago(7d)

    | where RiskState == "ConfirmedCompromised"

    | project TimeGenerated, UserPrincipalName, RiskLevel, RiskDetail, RiskEventTypes, DetectionType

    | order by TimeGenerated desc

These events are pivotal for identifying accounts that attackers have successfully subverted.

4.3 Audit Logs for Service Principals & OAuth App Abuses

  • Maps to: T1098: Account Manipulation, T1136: Create Account

  • Key Insight: Attackers exploit service principals or register malicious OAuth applications to sustain persistence without direct user sign-ins.

    AuditLogs

    | where TimeGenerated > ago(7d)

    | where OperationName in ("Add service principal", "Consent to application", "Update application permissions")

    | project TimeGenerated, InitiatedBy, TargetResources, IPAddress

    | order by TimeGenerated desc

4.4 Lateral Movement & Privilege Escalation

  • Maps to: TA0008: Lateral Movement, TA0003: Persistence

  • Indicators: New role assignments, suspicious VM deployments, abnormal storage account permission changes.

    AuditLogs

    | where TimeGenerated > ago(7d)

    | where OperationName == "Add member to role"

    | extend RoleAssigned = tostring(TargetResources[0].displayName)

    | extend AssignedTo = tostring(TargetResources[0].userPrincipalName)

    | project TimeGenerated, InitiatedBy, AssignedTo, RoleAssigned, IPAddress

    | order by TimeGenerated desc

Immediately inspect unplanned admin role assignments to mitigate broader escalation and exfiltration attempts (T1567: Exfiltration Over Web Service).

4.5 Azure Key Vault Exfiltration

  • Maps to: T1552: Unsecured Credentials

  • Tactic: Attackers aim to obtain credentials or cryptographic keys stored in Key Vault.

    AzureDiagnostics

    | where ResourceType == "VAULTS" and OperationName == "KeyVaultSecretGet"

    | project TimeGenerated, Caller, OperationName, Resource, IPAddress

    | order by TimeGenerated desc

Investigate unusual access patterns or suspicious IP addresses associated with Key Vault secret retrieval.

5. Enriched Strategies and Recommendations

5.1 Enforce Automated Blocking with Conditional Access

  • High-Risk Sign-Ins: Mandate additional verification or block entirely.

  • Known Malicious IP Ranges: Employ named locations and geofencing to prevent repeated credential abuse.

5.2 Harden Microsoft Defender Policies

  1. Defender for Cloud Apps:

    • Configure anomaly detection for mass downloads, excessive file deletions, and suspicious OAuth consents.

    • Correlate alerts with user risk data from Azure AD.

  2. Defender for Cloud (Azure Security Center):

    • Implement baseline security recommendations for VMs and containers.

    • Enable Just-In-Time (JIT) VM access to reduce exposure windows.

5.3 Integrate MITRE ATT&CK Tactics in Alerts

  • Label your custom Sentinel alerts or detection playbooks with MITRE ATT&CK codes (e.g., T1078 for Valid Accounts) to clarify how each detection fits into the overall kill chain.

  • This alignment enhances threat-hunting workflows, as analysts readily identify potential next steps an adversary might pursue (e.g., pivot to T1098: Account Manipulation).

5.4 Additional Monitoring Measures

  • Privileged Identity Management (PIM): Oversee JIT role activation events. Attackers that breach an account may attempt role elevation (TA0003: Persistence).

  • Azure Activity Logs: Detect resource manipulations that do not explicitly require user sign-ins, tying them to MITRE tactics such as T1078, T1098, or T1087 (Account Discovery).

6. Structured Incident Response Workflow

  1. Detection & Analysis

    • Gather sign-in logs, risk detections, and MCAS alerts (Tactic TA0001: Initial Access).

    • Correlate suspicious sign-ins with unusual resource modifications or Key Vault access.

  2. Containment

    • Disable compromised accounts or enforce immediate password resets.

    • Revoke malicious OAuth grants and block risky IP addresses via Conditional Access.

  3. Eradication

    • Remove malicious service principals (T1098) or nested roles.

    • Rotate credentials in Key Vault if suspected leaks have occurred (T1552).

  4. Recovery

    • Restore normal operations and privileges after thoroughly verifying that no backdoors remain.

    • Re-enable user accounts with stricter Conditional Access rules to prevent recurrence.

  5. Lessons Learned & Hardening

    • Update policies to block newly identified threat vectors.

    • Educate administrators on advanced tactics, including suspicious OAuth app registration or PIM misuse.

TL;DR

A defense against unauthorized account sign-ins in Microsoft Azure—and by extension, Office resources—hinges on Conditional Access policies, Microsoft Defender security configurations, and thorough log-based investigations aligned with the MITRE ATT&CK® framework. By proactively blocking legacy authentication methods, enforcing multi-factor verification on high-risk sign-ins, and integrating advanced threat intelligence from Defender for Cloud Apps, organizations can substantially reduce the likelihood of successful breaches.

Key Takeaways:

  1. Conditional Access Enforcement: Real-time blocking of high-risk events, geofencing suspicious IPs, and deactivating legacy protocols.

  2. Defender Policies Integration: Leverage both Defender for Cloud Apps and Defender for Cloud to correlate alerts and enforce advanced security configurations.

  3. MITRE ATT&CK Alignment: Tag queries and alerts with relevant technique identifiers to clarify the adversary’s stage in the attack cycle.

  4. Incident Response Methodology: Follow a structured framework—detection, containment, eradication, recovery, and continuous improvement—to protect cloud assets from evolving threats.

By deploying these strategies in concert, security teams can systematically thwart unauthorized sign-ins, detect anomalous activity across Azure resources, and obstruct adversaries at multiple points along the attack chain.