Special thanks to @edilahav for collaborating on this blog post with me!
In this blog post, we will review the new Azure Sentinel data streams for Azure Active Directory non-interactive, service principal, and managed identity logins. We will also share the new security content we built and updated in the product, which includes analytics rules for the detection part and workbooks to assist our customers to deal with this blind spot.
The shift to the cloud and the rise of automation tasks and service-to-service integration have contributed to a dramatic increase in the use of managed applications, service principals, and managed identities.
These new security objects perform login activity which is not captured in Azure Active Directory’s traditional sign-in logs.
The updated Azure Active Directory data connector now brings these important sign-in events into Azure sentinel.
Non-interactive user sign-ins are sign-ins that were performed by a client app or an OS component on behalf of a user. Like interactive user sign-ins, these sign-ins are done on behalf of a user. Unlike interactive user sign-ins, these sign-ins do not require the user to supply an Authentication factor. Instead, the device or client app uses a token or code to authenticate or access a resource on behalf of a user. In general, the user will perceive these sign-ins as happening in the background of the user’s activity.
Some activity that is captured in these logs:
Some examples that highlight why it’s so important to collect, and get visibility into these logs as part of your detections and hunting:
I’m sharing a Tweet from one of our senior security researchers from the days of the investigation:
Relevant part from the doc:
“Audit the creation and use of service principal and application credentials. Sparrow will detect modifications to these credentials. Look for unusual application usage, such as dormant or forgotten applications being used again. Audit the assignment of credentials to applications that allow non-interactive sign-in by the application. Look for unexpected trust relationships that have been added to Azure AD. (Download the last 30 days of non-interactive sign-ins from the Azure portal or use Azure Sentinel.)”
Azure Sentinel is a cloud-native SIEM that offers rich security content around these new log streams to bring security value to customers that enable it.
@shainw from the MSTIC team updated 24 analytics rules that perform correlations of non-interactive logins with traditional logins and search for anomalies and suspicious activities.
@ShaharAviv updated the Azure Active Directory sign-in workbook and created a coherent view that aggregates these 2 types of logins activity.
Joosua Santasalo, an Azure MVP, updated the Legacy authentication workbook to include non-interactive logins https://securecloud.blog/2021/01/11/azure-active-directory-sign-ins-using-legacyauth-fork-to-include...
Our security researchers share that this is only the beginning and there’s more content to come, so stay tuned!
To connect this new source and stream these logs into Azure Sentinel you should flow these steps:
2. Open the Azure Active Directory connector and check the boxes for the new sources in the configuration section.
To summarize: and enable your non-interactive logins connector!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.