Azure AD sign in from AADinternals default user agent
Set up the azure integration.
Goal
Detect when the AADInternals default user agent is seen in Azure AD sign-in logs.
Strategy
This rule monitors Azure AD sign-in logs for the default user agent AADInternals
(this default user agent can be altered). AADInternals toolkit is a PowerShell module containing tools for administering and exploiting Azure AD and Office 365. It is listed in MITRE ATT&CK with id S0677 and has been associated with a number of threat groups.
Triage and response
- Determine if your organization has authorized the use of the AADInternals toolkit.
- If the results of triage indicate that this tool is not used by your organization, begin your company’s incident response process and an investigation.
- If appropriate, disable the affected identity and revoke any sign-in sessions.
- Investigate any actions taken by the identity
{{@usr.id}}
during the identified time frame.