Microsoft Sentinel SOC 101: How to Detect and Mitigate a VIP Account that has Multiple Failed Logons within a Threshold with Microsoft Sentinel
Vee-eye-pee
Get this entire series in a free, downloadable eBook https://aka.ms/SentinelSOC101
Microsoft Sentinel is a cloud-native solution that provides security information and event management (SIEM) and security orchestration, automation, and response (SOAR) capabilities. It can help organizations defend against modern attacks by collecting, analyzing, and responding to security events across the enterprise. One of the common scenarios that Microsoft Sentinel can help with is detecting and mitigating brute-force attacks on VIP accounts, such as executives or administrators, who have access to sensitive data or resources.
A brute-force attack is a type of cyberattack that involves trying many possible combinations of passwords or other credentials to gain unauthorized access to an account or system. Brute-force attacks can be performed by automated tools or scripts that attempt to guess passwords based on common patterns, dictionaries, or leaked databases. Brute-force attacks can also be targeted at specific accounts or systems that are known to be valuable or vulnerable.
A VIP account is an account that belongs to a user who has a high level of privilege, influence, or visibility in an organization. VIP accounts may include executives, administrators, managers, or key employees who have access to confidential information, critical systems, or strategic decisions. VIP accounts are attractive targets for attackers who want to compromise the organization’s security, reputation, or operations.
To detect and mitigate a VIP account multiple failed logins within a specified number of minutes using Microsoft Sentinel, you can follow these steps:
Step 1: Define the VIP accounts and the logon threshold
The first step is to define which accounts are considered VIP accounts in your organization and what is the acceptable number of failed logon attempts within a certain time period. You can use the following criteria to identify VIP accounts:
The account has a high level of permission or role in the organization, such as global administrator, domain administrator, executive officer, etc.
The account has access to sensitive data or resources, such as financial records, customer information, intellectual property, etc.
The account is frequently used for communication or collaboration with external parties, such as partners, customers, media, etc.
You can use the following criteria to determine the logon threshold:
The number of failed logon attempts that indicate a possible brute-force attack. This may vary depending on the complexity and length of the passwords used by the VIP accounts. A common value is 6 failed logon attempts within 10 minutes.
The time window that defines the frequency of the failed logon attempts. This may vary depending on the normal usage pattern of the VIP accounts. A common value is 10 minutes.
You can use Microsoft Entra ID PowerShell cmdlets to get a list of VIP accounts based on their roles or permissions. For example, you can use this command to get all global administrators in your tenant:
Get-AzureADDirectoryRoleMember -ObjectId (Get-AzureADDirectoryRole | Where-Object {$_.displayName -eq "Global Administrator"}).ObjectId
Step 2: Create a custom detection rule in Microsoft Sentinel
The second step is to create a custom detection rule in Microsoft Sentinel that triggers an alert when a VIP account exceeds the logon threshold within the time window. You can use Kusto Query Language (KQL) to write the query for the detection rule. For example, you can use this query to detect when an account has more than 6 failed logon attempts in 10 minutes:
SigninLogs
| where ResultType == "50126" // Failed sign-in due to bad username or password
| summarize count() by UserPrincipalName // Count the number of failed sign-in attempts by user
| where count_ > 6 // Filter by users who have more than 6 failed sign-in attempts
| join kind=inner ( // Join with the original sign-in logs table
SigninLogs
| where ResultType == "50126"
| summarize min(TimeGenerated), max(TimeGenerated) by UserPrincipalName // Get the first and last failed sign-in time by user
) on UserPrincipalName
| where (max_TimeGenerated - min_TimeGenerated) < 10m // Filter by users who have failed sign-in attempts within 10 minutes
| project UserPrincipalName, count_, min_TimeGenerated, max_TimeGenerated // Select the relevant columns
Consider taking the results from this PowerShell script and create a Watchlist in Microsoft Sentinel that can be maintained. Then modify the Analytics Rule to check against the Watchlist when it runs so it only identifies the elevated accounts.
See:
You can use the Microsoft Sentinel portal to create the custom detection rule. You need to provide the following information:
The name and description of the rule
The data source and the query for the rule
The schedule and frequency of the rule execution
The severity and category of the alert generated by the rule
The entity mapping and alert details of the rule
Step 3: Investigate and respond to the alert in Microsoft Sentinel
The third step is to investigate and respond to the alert in Microsoft Sentinel when it is triggered by a VIP account that exceeds the logon threshold within the time window. You can use the following guidelines to investigate and respond to the alert:
Review the alert details, such as the user name, the number of failed logon attempts, and the time range of the failed logon attempts.
Review the user’s investigation priority score and compare it with the rest of the organization. This will help you identify which users pose the greatest risk.
Review the user’s activity history and timeline to gain an understanding of the context and impact of the failed logon attempts. Look for any indicators of compromise or suspicious behavior, such as unusual locations, devices, applications, or actions.
Review the user’s device information and compare it with known device information. Look for any signs of malware infection, compromise, or tampering.
Review the user’s threat intelligence information and compare it with known threat actors or campaigns. Look for any matches or similarities that could indicate a targeted attack or a common technique.
Contact the user and verify their identity and activity. Ask them if they recognize or remember any of the failed logon attempts or if they have any issues with their account or device.
Reset the user’s password and enable multi-factor authentication (MFA) for their account. This will help prevent further brute-force attacks and improve their account security.
Create an Incident in Microsoft Sentinel and assign it to an analyst or a team for further investigation and remediation. You can also use playbooks in Microsoft Sentinel to automate and orchestrate common tasks, such as sending notifications, creating tickets, blocking IPs, etc.
[Want to discuss this further? Hit me up on Twitter or LinkedIn]
[Subscribe to the RSS feed for this blog]
[Subscribe to the Weekly Microsoft Sentinel Newsletter]
[Subscribe to the Weekly Microsoft Defender Newsletter]
[Subscribe to the Weekly Azure OpenAI Newsletter]
[Learn KQL with the Must Learn KQL series and book]
[Learn AI Security with the Must Learn AI Security series and book]