How to Monitor Azure AD Emergency Accounts With Azure Sentinel

9 min read

In this article, I will share with you how to monitor Azure AD emergency accounts, also known as break glass accounts with Azure Sentinel.

Introduction

Azure Sentinel is a cloud-native Security Information Event Management (SIEM) and Security Orchestration Automated Response (SOAR) solution. Azure Sentinel delivers intelligent security analytics and threat intelligence across the enterprise, providing a single solution for alert detection, threat visibility, proactive hunting, and threat response.

The cloud environment needs emergency accounts, also known as break glass accounts, to build a resilient environment. These accounts should only be used when a regular admin cannot sign in. Break glass accounts must be guarded heavily.

In this article, I will walk you through how to create an analytic rule in Azure Sentinel that will trigger an alert when a break glass account is used and automatically runs a security playbook to inform the organization’s Security Operation Center (SOC) team.

Prerequisites

To follow this article, you need to have the following:

  1. Azure subscription – If you don’t have an Azure subscription, you can create a free one here.
  2. Log Analytics workspace – To create a new workspace, follow the instructions here Create a Log Analytics workspace.
  3. Azure Sentinel – To enable Azure Sentinel at no additional cost on an Azure Monitor Log Analytics workspace for the first 31-days, follow the instructions here.
  4. Connect data from Azure Active Directory (Azure AD) to Azure Sentinel. Please note that to export sign-in data, you need to have Azure AD P1 or P2 license. If you don’t have a P1 or P2, you can sign in for a Free Trial here. As a side note, the Microsoft documentation says here that any Azure AD license (Free/O365/P1/P2) is sufficient to ingest sign-in logs into Azure Sentinel. This is not correct, you cannot ingest sign-in logs with Azure AD Free or Office 365, you need to have P1 or P2.
  5. Emergency account created in Azure AD. Microsoft recommends having at least two emergency accounts. In this example, I have only one account. Please check the Microsoft documentation regarding setting up emergency accounts in your environment. Once the emergency account is created, you need to copy the Object ID as shown in the figure below. We need to use the Object Id in the next step. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 1

Please note that if you just upgraded Azure AD tenant license from Free to P1 or P2 premium license, you need to wait couple of days until the Sign-in Logs table to be created in Log Analytics workspace. This latency has been confirmed by the Azure Active Directory team.

Create an analytic rule

Assuming you have all the prerequisites in place, take now the following steps:

  1. Open Azure Portal and sign in with a user who has Azure Sentinel Contributor permissions.
  2. Click All services found in the upper left-hand corner. In the list of resources, type Azure Sentinel. As you begin typing, the list filters based on your input.
  3. Click on Azure Sentinel and then select the desired Workspace.
  4. From Azure Sentinel’s sidebar, select Analytics under the Configuration section, then click + Create and select Schedule query rule as shown in the figure below. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 2
  5. Give the analytic rule a meaningful ‘Name‘ and ‘Description‘, then select the following 3 ‘Tactics‘ (Initial Access, Privilege Escalation, and Credential Access). Those tactics are based on the MITRE ATT&CK Matrix for Enterprise. Then select ‘High‘ for the Severity and then click Next to Set rule logic. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 3
  6. In the Set rule logic page under the Rule query, type the following KQL syntax to query the sign-in logs against the specified emergency account. Please make sure to replace the UserId with the Object Id of your account. I have defined the UserPrincipalName and IPAddress in the query for the account and IP entities.
    SigninLogs
    | project UserId, IPAddress, Location, SourceSystem, TimeGenerated, UserPrincipalName
    | where UserId == 'object-id-of-the-account'
    | extend AccountCustomEntity = UserPrincipalName
    | extend IPCustomEntity = IPAddress
  7. I will schedule this query to run every 5 minutes and lookup data from the last 5 minutes. I will not change any other setting in this tab. Click Next to configure the Incident settings. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 4
  8. I will keep the default options for the Incident settings as well. Click Next to configure the Automated response.
  9. In the Automated response page, I have nothing to select at the moment. In the next section, I will demonstrate how to create a security playbook and associate it with this analytic rule. Click Next to review and create. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 5
  10. In the Review and create the page, validate the settings and click Create to start the rule creation process.

Create a playbook

Now the analytic rule is created, let’s create a security playbook to respond in case of an alert.

  1. Open Azure Portal and sign in with a user who has Azure Sentinel Contributor permissions.
  2. Click All services found in the upper left-hand corner. In the list of resources, type Azure Sentinel. As you begin typing, the list filters based on your input.
  3. Click on Azure Sentinel and then select the desired Workspace.
  4. From Azure Sentinel’s sidebar, select Playbooks under the Configuration section, then click + Add Playbook. Remember that all playbooks are Logic Apps, but not all Logic Apps are playbooks. You must have an Azure Sentinel trigger to promote a Logic App to the playbook.How to Monitor Azure AD Emergency Accounts With Azure Sentinel 6
  5. A new tab will open where you can enter the Basics information for the logic app. I will select the existing resource group that I have created for the Logic App demo and then choose an appropriate name for the playbook. Click Review + create to validate and then click Create again. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 7
  6. Once the deployment is completed, click Go to the resource.
  7. In the Logic Apps Designer view, click the Blank Logic App.
  8. Next, search for the Azure Sentinel in the search connectors and triggers box, you will find this trigger easily. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 8
  9. There are two different kinds of triggers available to us. For this example, we will choose ‘When a response to an Azure Sentinel alert is triggered‘. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 9
  10. This trigger requires a connection. Click Sign in and log in with the user with sufficient permissions needed for this connection to work. You can also use a service principal to create a connection.
  11. For this demo, I want to send a message to the Microsoft Teams channel whenever someone successfully logs in with the emergency account. These emergency accounts have administrative permissions and should only be used for testing or in real emergency scenarios. That’s why it is crucial to inform the SOC team members and roles like CISO or ISM about the usage of such accounts. The good news is, Logic App has a built‑in connector for sending messages to Microsoft Teams channel, Slack channel, or email, etc.
  12. In the Logic Apps Designer, click + New step and search for Azure Sentinel and then choose ‘Alert – Get incident‘ under Actions. Then click on each field and choose from the Dynamic content, the Subscription ID, Resource group, Workspace ID, and System alert ID as shown in the figure below. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 10
  13. Click + New step again and search for Azure Sentinel and then choose ‘Entities – Get Accounts‘ under Actions. Then click on the Entities list and choose from the Dynamic content, the ‘Entities‘ as shown in the figure below. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 11
  14. Click + New step again and search for Azure Sentinel and then choose ‘Entities – Get IPs‘ under Actions. Then click on the Entities list and choose from the Dynamic content, the ‘Entities‘ as shown in the figure below. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 12
  15. Click + New step one more time and search for Microsoft Teams. Choose Microsoft Teams, and from the Actions list, you need to choose Post a message. Microsoft Teams also needs a connection and requires signing in with the valid user with permissions. I have already created a Team channel using the same account I used to log into my Azure tenant. I will use the same user to initialize the connection.
  16. Once the connection is established to Microsoft Teams. The next step is to choose which Team name and channel you would like to send the message to. I have already created a channel called ‘Azure Sentinel – Alerts‘ in my Team that I will choose it for this example. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 13
  17. In the Message body, I will choose from the list of Dynamic content options for the message text, the Alert Name, Severity, the Account name used, and the IP address from where the emergency account was logged in. The entire message text looks like the following: How to Monitor Azure AD Emergency Accounts With Azure Sentinel 14
  18. That’s it. On top of the page click Save. This will save the Logic App.

Modify the analytic rule

Now that the Logic App is created, you need to assign it to the analytic rule so you will get notified when an incident is triggered.

Now back to Azure Sentinel, take the following simple steps:

  1. Select the desired Azure Sentinel Workspace.
  2. From Azure Sentinel’s sidebar, select Analytics under the Configuration section.
  3. From the list of Active rules, select the analytic rule that you created previously and click Edit.
  4. Don’t modify anything. Click Next multiple times to reach the Automated response tab where you can see the playbook you just created. Select the Logic App (playbook) and then click Next one more time. How to Monitor Azure AD Emergency Accounts With Azure Sentinel 15
  5. Verify quickly all the settings are correct and then click Save.

Now the analytic rule is ready with the automated response playbook.

Simulate an alert

To trigger an alert, you need to log into the Azure portal to simulate the emergency account usage.

I have logged into another virtual machine and I have installed the Tor browser that I will use to log in to the Azure portal to simulate the emergency account usage.

Launch the Tor browser and navigate to portal.azure.com and use the emergency account to log in. Type the emergency account email and click Next. Then enter the password and click Sign in. If this the first time you are accessing this emergency account, you will be asked to update your password, and on the next screen, click Yes if you would like to stay signed in for a while.

So now, you have successfully logged into the Azure portal using the emergency account via the Tor browser, you can expect multiple incidents reported to the Azure Sentinel for this activity.

Let’s see if I have received any message on the Microsoft Team channel. After waiting for a couple of minutes, a message popped up in my team channel as shown in the below screenshot, which means the analytic rule ran the playbook automatically, and the SOC team received this message.

How to Monitor Azure AD Emergency Accounts With Azure Sentinel 16

If you switch back to the Azure Sentinel and check if you have any incident created after this suspicious activity. You will see a new open incident that is created when using the emergency account. You can see the Incident id number that was created by the analytic rule that I created in this example, which has the playbook attached to it.

How to Monitor Azure AD Emergency Accounts With Azure Sentinel 17

You can also view more details of the incident by clicking on the View full details button.

If you navigate to the Playbooks page and click Refresh, you will see the new playbook in the list and verify if it ran by the analytic rule. In this example, it runs successfully 6 times.

How to Monitor Azure AD Emergency Accounts With Azure Sentinel 18

You can also click on the playbook name and see the Runs history on the overview Logic App page. You can see, I have successfully run entries in this list.

How to Monitor Azure AD Emergency Accounts With Azure Sentinel 19

Summary

In this article, I showed you how to create an analytic rule in Azure Sentinel that will trigger an alert when an emergency account is used and automatically runs a security playbook to inform the organization’s Security Operation Center (SOC) team.

Please note that this is only one automation scenario I showed you on how to respond to security threats by posting a message on Microsoft Teams, you could also automatically disable/block the account in Azure AD and send an email, etc. Additionally, creating your own playbook is not the only option that you have. There are plenty of playbooks available in the Azure Sentinels GitHub page contributed by the community and Microsoft security experts that you can leverage.

Additional resources I highly encourage you to check:

The power of Azure Sentinel comes from the ability to detect, investigate, and remediate threats. To do this, you must first ingest data in the form of alerts from different security providers, such as Azure Security Center or other Microsoft solutions, as well as other third-party solutions.

__
Thank you for reading my blog.

If you have any questions or feedback, please leave a comment.

-Charbel Nemnom-

Related Posts

About Charbel Nemnom 579 Articles
Charbel Nemnom is a Cloud Architect, Swiss Certified ICT Security Expert, Microsoft Most Valuable Professional (MVP), and Microsoft Certified Trainer (MCT), totally fan of the latest's IT platform solutions, accomplished hands-on technical professional with over 17 years of broad IT Infrastructure experience serving on and guiding technical teams to optimize the performance of mission-critical enterprise systems. Excellent communicator is adept at identifying business needs and bridging the gap between functional groups and technology to foster targeted and innovative IT project development. Well respected by peers through demonstrating passion for technology and performance improvement. Extensive practical knowledge of complex systems builds, network design, business continuity, and cloud security.

Be the first to comment

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.