05-17-2019 04:07 PM
05-17-2019 04:07 PM
One element that I have noticed in the last month is Insights under the Monitoring and have been using this to check how many sign-ins are coming in thru either Modern or Legacy Authentication - this appears to be powered by Azure Sentinel?
There is a Template for Legacy Auth, and it's pretty straight forward to clone this and search for Modern Auth usage, so from this it was interesting to see the breakdown of the protocols in use under the Legacy Auth - if I'm reading this right it's highlighting that IMAP & SMTP seem to be the protocols being abused the most via Password Spray attacks and these would be the two biggest targets for blocking Legacy Auth?
Has anyone else seen similar results?
05-20-2019 02:32 PM
05-20-2019 04:08 PM
If possible I'm also trying to understand how/why the results don't quite add up in some circumstances?
When I highlighted the success/failure of IMAP or SMTP for say 30 mins this is OK, but at larger ranges this sometimes appears to be a bit skewed - What is it in the logs that actually determines the Legacy/Modern element & protocol?
At the moment the results of the Protocol + Success/Failure highlight individual instances.
It would be great to get this rolled up with specific Users highlighted instead and make it much easier to understand how to go about blocking/turning off Legacy on almost a per user basis & the potential impact to the business on this.
05-22-2019 06:03 AM
The Service filter allows you to select from a dropdown of the following services:
05-22-2019 06:07 AM
One more follow up, we're in the process of releasing UEBA - this might meet a lot of your needs. Stay turned as we have a lot coming out built into Azure Sentinel by GA.
With native integration of machine learning (ML), and user analytics, Azure Sentinel can help detect threats quickly. Azure Sentinel seamlessly integrates with Azure Advanced Threat Protection to analyze user behavior and prioritize which users you should investigate first, based on their alerts, and suspicious activity patterns across Azure Sentinel and Microsoft 365.
06-02-2019 12:46 AM
@Chris Boehm I was referring to this feature in AAD under Monitoring
This weekend I have taken the Kusto Query and used/messed with it in Sentinel and can now see that it appears to be simply tracking an "App" listed as "Other Clients: ****" and based on this determines that it's a Legacy Authentication.
What I'm almost surprised about is that there is no data point in the raw data of a failed or successful login that indicates if it is or isn't Legacy or Modern Auth in play? Given the focus that MS is rightly placing on deprecating Legacy Auth this seems like a missed opportunity to make it easier/simpler to get off Legacy ASAP?