Forum Discussion

David Caddick's avatar
David Caddick
Iron Contributor
May 17, 2019

Using Azure Sentinel to enable Insights for Legacy/Modern Auth usage

One element that I have noticed in the last month is Insights under the Monitoring and have been using this to check how many sign-ins are coming in thru either Modern or Legacy Authentication - this appears to be powered by Azure Sentinel?

There is a Template for Legacy Auth, and it's pretty straight forward to clone this and search for Modern Auth usage, so from this it was interesting to see the breakdown of the protocols in use under the Legacy Auth - if I'm reading this right it's highlighting that IMAP & SMTP seem to be the protocols being abused the most via Password Spray attacks and these would be the two biggest targets for blocking Legacy Auth?

Has anyone else seen similar results?

    • David Caddick's avatar
      David Caddick
      Iron Contributor

      Valon_Kolica@Chris Boehm, @Ofer_Shezaf,

      If possible I'm also trying to understand how/why the results don't quite add up in some circumstances?

      When I highlighted the success/failure of IMAP or SMTP for say 30 mins this is OK, but at larger ranges this sometimes appears to be a bit skewed - What is it in the logs that actually determines the Legacy/Modern element & protocol?

       

      At the moment the results of the Protocol + Success/Failure highlight individual instances.

      It would be great to get this rolled up with specific Users highlighted instead and make it much easier to understand how to go about blocking/turning off Legacy on almost a per user basis & the potential impact to the business on this.

        

      • Chris Boehm's avatar
        Chris Boehm
        Icon for Microsoft rankMicrosoft

        David Caddick 

         

        I'm personally not exactly aware where this is being populated for you, although to answer your question this is Azure Active Directory Audit logs: https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-audit-logs

         

        The Service filter allows you to select from a dropdown of the following services:

        • All
        • Access Reviews
        • Account Provisioning
        • Application SSO
        • Authentication Methods
        • B2C
        • Conditional Access
        • Core Directory
        • Entitlement Management
        • Identity Protection
        • Invited Users
        • PIM
        • Self-service Group Management
        • Self-service Passord Management
        • Terms of Use

         

        With that being said, you can ingest Azure Active Directory Audit logs into Azure Sentinel, then manipulate the data or even automate with playbooks to create a specific action. With playbooks you could even tie an event together(Office 365, Firewall Logs, AIP logs, Etc), if X application is used 100 times with 100 Legacy auth occurring,  then you're wanting to notify your auth team or security team to look into this. Even more so you could create a ServiceNow/Jira ticket to have tracking in a system you're possibly already using. On top  of that, you could just track it with an alert, if that alert gets more then X traffic in 24 hour period you're wanting another alert to kick off a playbook(like an SMS message or automation to block an port of that application while your team is investigating the issue while at the same time notifying the company that this application has been blocked and the X team is investigating an issue).  All automated with playbooks with no user interaction required.

         

        You were asking about why the data was skewed, i'm wondering if this is purely on the way Azure AD is tracking or the application itself isn't even getting through which is showing no activity. Modern auth shows much better tracking, legacy will typically show nothing if it's blocked via a proxy or the communication just doesn't even get back for a failure. Reason being it's not even getting to the service in the first place. I would personally advise reaching out to the Azure AD team about auditing to get a deeper investigation on why your logging seems off.

         

        Hope this helped :)

         

         

Resources