Unusual Authentication by Microsoft 365 Azure AD Service Principal

microsoft-365

Classification:

attack

Tactic:

TA0004-privilege-escalation

Technique:

T1078-valid-accounts

이 페이지는 아직 영어로 제공되지 않습니다. 번역 작업 중입니다.
현재 번역 프로젝트에 대한 질문이나 피드백이 있으신 경우 언제든지 연락주시기 바랍니다.

Goal

Detect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.

Strategy

Using the New Value detection method, find when a Microsoft 365 Azure AD service principal uses a new @AuthenticationMethod.

Triage and response

  1. Determine if the service principal {{@usr.id}} should be authenticating using the {{@AuthenticationMethod}} authentication method and {{@ExtendedProperties.RequestType}} request type.
  2. If {{@usr.email}} should not be authenticating using {{@AuthenticationMethod}},
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard
    • If necessary, initiate your company’s incident response (IR) process.
PREVIEWING: aliciascott/DOCS-9725-Cloudcraft