Detections
- Home
- - Detections
- -DT063
- ID: DT063
- Created: 19th July 2024
- Updated: 19th July 2024
- Platforms: Windows, Linux, MacOS
- Contributor: The ITM Team
Microsoft Entra ID Sign-in Logs
From the Microsoft Entra Admin Center (https://entra.microsoft.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), or through the Azure Portal (https://portal.azure.com/#view/Microsoft_AAD_UsersAndTenants/UserManagementMenuBlade/~/SignIns), it is possible to view detailed sign-in logs for user accounts.
This information includes (but is not limited to) the Date, User, Application, Status, IP Address, and Location.
Sections
ID | Name | Description |
---|---|---|
PR015.002 | Remote Email Collection | A subject retrieves email files from a remote email server. The subject might use their own or other obtained credentials to access an email mailbox and subsequently copy emails and/or data contained within emails. Remote email collection can be conducted against on-premises email servers, webmail, and cloud-based email services. |
PR004.002 | Collaboration Platform Exploration | A subject may search for or otherwise explore files on a Collaboration Platform (such as SharePoint, OneDrive, Confluence, etc) to identify sensitive or valuable information. |
IF011.003 | Providing Unauthorized Access to a Collaboration Platform | The subject provides unauthorized party access to a collaboration platform, such as Slack, Teams, or Confluence that exposes them to information they are not permitted to access. This can be achieved by adding an existing organizational account, or a guest account. |
AF018.002 | Environment Tripwires | The subject develops a custom API that monitors specific activities, network traffic, and system changes within the target environment. The API could monitor HTTP/HTTPS requests directed at sensitive endpoints, track modifications to security group settings (such as firewalls or access policies), and identify administrative actions like changes to user accounts, data access requests, or logging configurations.
This tripwire API is embedded within various parts of the environment:
Once deployed, the tripwire API continuously monitors network traffic, API calls, and system changes for indicators of an investigation. It looks for:
The API can use whitelists for expected IP addresses or user accounts, triggering alerts if unexpected access occurs.
Upon detecting activity, the API tripwire can take immediate evasive actions:
|