Microsoft Sentinel SOC 101: How to Detect and Mitigate Inactive Account Sign-ins with Microsoft Sentinel
Where have you been?
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
How to Detect and Mitigate Inactive Account Sign-ins with Microsoft Sentinel
Microsoft Sentinel is a cloud-native security information and event management (SIEM) solution that helps organizations collect, analyze, and respond to security data from various sources. One of the common security challenges that organizations face is the detection and mitigation of inactive account sign-ins. Inactive accounts are user accounts that are no longer required or used by members of the organization, but still have access to resources and data. These accounts pose a security risk, as they can be exploited by attackers to gain unauthorized access, perform malicious actions, or leak information.
In this post, I will explore how to use Microsoft Sentinel to detect and mitigate inactive account sign-ins with Microsoft Entra ID, the identity and access management service that provides single sign-on and multi-factor authentication for cloud and hybrid applications. I will also discuss some of the best practices and recommendations for managing inactive accounts in Microsoft Entra ID.
Detect Inactive Account Sign-ins with Microsoft Sentinel
To detect inactive account sign-ins with Microsoft Sentinel, you need to collect and analyze the sign-in logs from Microsoft Entra ID. The sign-in logs contain information about the user, application, device, location, and risk level of each sign-in attempt. The sign-in logs can be ingested into Microsoft Sentinel by using the built-in Microsoft Entra ID connector, which is available in the Data connectors page of the Microsoft Sentinel portal.
To enable the Microsoft Entra ID connector, follow these steps:
In the Microsoft Sentinel portal, go to Data connectors and select Microsoft Entra ID.
Click Open connector page and review the prerequisites and instructions.
Click Connect and grant the required permissions to enable the connector.
Wait for a few minutes for the connector to start ingesting data.
Once the connector is enabled, you can use Kusto Query Language (KQL) to query the sign-in logs in the Logs page of the Microsoft Sentinel portal. The sign-in logs are stored in the SigninLogs table in the Log Analytics workspace.
To detect inactive account sign-ins, you need to use the SignInActivity property of the user object in Microsoft Entra ID, which shows the last time a user attempted to make an interactive sign-in. You can use the Microsoft Graph API to query this property for all users or a specific user. For example, you can use the following query to get the last sign-in date and time for all users:
SigninLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, TimeGenerated
| join kind=leftouter (
externaldata(displayName:string,lastSignInDateTime:datetime)
[@"https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity"]
with(format="json", ingestionMapping=[{"column":"displayName","path":"displayName"},{"column":"lastSignInDateTime","path":"signInActivity/lastSignInDateTime"}])
on $left.UserPrincipalName == $right.displayName
)
on UserPrincipalName
| project UserPrincipalName, TimeGenerated, lastSignInDateTime
The query joins the SigninLogs table with an external data source from the Microsoft Graph API, which returns the displayName and lastSignInDateTime properties for all users. The query then projects the UserPrincipalName, TimeGenerated, and lastSignInDateTime columns for each user.
You can use this query as a baseline to detect inactive account sign-ins by applying filters or conditions based on our criteria. For example, you can use the following query to get a list of users who have not signed in for more than 90 days:
SigninLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, TimeGenerated
| join kind=leftouter (
externaldata(displayName:string,lastSignInDateTime:datetime)
[@"https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity"]
with(format="json", ingestionMapping=[{"column":"displayName","path":"displayName"},{"column":"lastSignInDateTime","path":"signInActivity/lastSignInDateTime"}])
on $left.UserPrincipalName == $right.displayName
)
on UserPrincipalName
| project UserPrincipalName, TimeGenerated, lastSignInDateTime
| where lastSignInDateTime < ago(90d)
The query adds a where clause that filters out users who have signed in within the last 90 days.
You can also use this query as a basis to create alerts or incidents in Microsoft Sentinel when inactive account sign-ins are detected. For example, you can use the following query to create an alert when a user who has not signed in for more than 180 days signs in again:
SigninLogs
| where TimeGenerated > ago(30d)
| summarize arg_max(TimeGenerated, *) by UserPrincipalName
| project UserPrincipalName, TimeGenerated
| join kind=leftouter (
externaldata(displayName:string,lastSignInDateTime:datetime)
[@"https://graph.microsoft.com/v1.0/users?$select=displayName,signInActivity"]
with(format="json", ingestionMapping=[{"column":"displayName","path":"displayName"},{"column":"lastSignInDateTime","path":"signInActivity/lastSignInDateTime"}])
on $left.UserPrincipalName == $right.displayName
)
on UserPrincipalName
| project UserPrincipalName, TimeGenerated, lastSignInDateTime
| where lastSignInDateTime < ago(180d)
| extend AccountCustomEntity = UserPrincipalName
The query adds an extend clause that assigns the UserPrincipalName column to the AccountCustomEntity field, which is used by Microsoft Sentinel to identify the entity involved in the alert. You can then use the Analytics page of the Microsoft Sentinel portal to create a scheduled rule based on this query, and configure the alert details, trigger conditions, and response actions.
Mitigate Inactive Account Sign-ins with Microsoft Sentinel
To mitigate inactive account sign-ins with Microsoft Sentinel, you need to take appropriate actions to resolve the alerts or incidents that are generated by the detection queries. Depending on the context and severity of the situation, you may need to perform one or more of the following actions:
Investigate the source and cause of the sign-in attempt. You can use the Investigation page of the Microsoft Sentinel portal to view the details and timeline of the alert or incident and explore the related entities and events. You can also use the Hunting page of the Microsoft Sentinel portal to run custom queries or notebooks to further analyze the data and find additional evidence or indicators of compromise.
Block or disable the inactive account. You can use the Microsoft Entra ID portal or PowerShell to block sign-in or disable the user account that is involved in the alert or incident. This can prevent further unauthorized access or misuse of the account. You can also use automation rules or playbooks in Microsoft Sentinel to perform these actions automatically or semi-automatically based on predefined conditions or triggers.
Reset or revoke the credentials of the inactive account. You can use the Microsoft Entra ID portal or PowerShell to reset the password or revoke the refresh tokens of the user account that is involved in the alert or incident. This can invalidate any existing sessions or tokens that are associated with the account. You can also use automation rules or playbooks in Microsoft Sentinel to perform these actions automatically or semi-automatically based on predefined conditions or triggers.
Notify or educate the user or owner of the inactive account. You can use email, phone, or other communication channels to notify or educate the user or owner of the user account that is involved in the alert or incident. This can help them understand the security risks and implications of having inactive accounts and encourage them to follow best practices and policies for managing their accounts.
Best Practices and Recommendations for Managing Inactive Accounts in Microsoft Entra ID
To prevent or reduce inactive account sign-ins with Microsoft Entra ID, you recommend following some of these best practices and recommendations for managing inactive accounts in Microsoft Entra ID:
Define and enforce a policy for account lifecycle management. This policy should specify how user accounts are created, updated, suspended, deleted, and audited in Microsoft Entra ID. The policy should also define what constitutes an inactive account and how long it should be retained before deletion.
Implement a process for account provisioning and deprovisioning. This process should ensure that user accounts are created and assigned with appropriate roles, permissions, and access rights based on their business needs and functions. The process should also ensure that user accounts are deactivated and removed when they are no longer required or used by members of the organization.
Monitor and review account activity and usage regularly. This activity should involve collecting and analyzing sign-in logs, audit logs, and directory attributes from Microsoft Entra ID to identify and report any inactive, obsolete, or suspicious accounts. The activity should also involve taking corrective actions to block, disable, reset, or revoke any inactive accounts that pose a security risk.
Educate and train users and administrators on account security and hygiene. This education should involve raising awareness and providing guidance on how to create and manage secure and strong passwords, enable multi-factor authentication, review consented applications, report phishing attempts, and follow security policies and best practices for their accounts.
Conclusion
Inactive account sign-ins are a common security challenge that organizations face when using Microsoft Entra ID as their identity and access management service. By using Microsoft Sentinel as their SIEM solution, organizations can detect and mitigate inactive account sign-ins by collecting and analyzing sign-in logs from Microsoft Entra ID, creating alerts or incidents based on custom queries or rules, and taking appropriate actions to resolve them. Moreover, by following best practices and recommendations for managing inactive accounts in Microsoft Entra ID, organizations can prevent or reduce inactive account sign-ins by implementing a policy and process for account lifecycle management, monitoring and reviewing account activity and detecting offending accounts.
Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]