Unusual Authentication by Microsoft 365 Azure AD Service Principal

Cette page n'est pas encore disponible en français, sa traduction est en cours.
Si vous avez des questions ou des retours sur notre projet de traduction actuel, n'hésitez pas à nous contacter.

Goal

Detect when a Microsoft 365 Azure AD service principal uses an unusual authentication method.

Strategy

Using the New Value detection method, find when a Microsoft 365 Azure AD service principal uses a new @AuthenticationMethod.

Triage and response

  1. Determine if the service principal {{@usr.id}} should be authenticating using the {{@AuthenticationMethod}} authentication method and {{@ExtendedProperties.RequestType}} request type.
  2. If {{@usr.email}} should not be authenticating using {{@AuthenticationMethod}},
    • Investigate other activities performed by the user {{@usr.id}} using the Cloud SIEM - User Investigation dashboard
    • If necessary, initiate your company’s incident response (IR) process.
PREVIEWING: safchain/fix-custom-agent