Microsoft Real Time Alerts- Not Real Time

Deploy Sign in Alerts for real time notifications before they can access your MS Cloud data!

Written by: David J DeLorge

Issue:

With most Cloud platforms, there is an account deployed that has 100% access, or a ‘Emergency Break Glass’ account deployed, with GOD rights, in case of an issue. What happened if someone gets access to this account?

Recently Microsoft announced they are removing Activity Alerts in Office 365 and replacing them with Alert Policies. Two issues, both the activity alerts and the Alert Policies can take anywhere from 30 min to an hour to fire off the alert. By that time, most hackers have already either gotten the information they need or have planted enough backdoors and trojans to get in later.

Solution:

Using Microsoft’s Azure Log Analytics KQL script and a simple consumption Logic app, we can monitor any ‘BreakGlass’, full Global admin accounts or monitor any high level account login, the hackers may try to use.

The solution uses the following Microsoft KQL query and a simple Azure Logic app to monitor, alert and email the breakin in less than 6 minutes. – Giving us enough time to STOP the attack before damage can be done.

To begin (requirements)

1.??????Make sure you deploy Azure Log analytics to your Azure subscription, (and in the correct region).

2.??????Add the Microsoft 365 data collector to your log analytics

3.??????Create a Resource group to contain the Logic App

4.??????Deploy the logic App as a consumption-based app – (also in the same region)

Create the Logic app:

Step 1. Recurrence – Lets let it run every 4min

Step 2. We are going to use the Log Analytics , Azure Monitor Logs – Run Query and Visualize results.

You will need to log into your subscription, select your tenant, log analytics space and insert the following KQL in the ‘Query’ field. Make sure to select ‘HTML’ as the output in the ‘Chart Type’ Field.

Kusto Script: (Note- in my script I am getting both the EST & MST time)

SigninLogs | where UserPrincipalName like "Your breakglass account name"

| where TimeGenerated > ago(5m)

| project?now(-6h),now(-4h),OperationName,Identity,AuthenticationDetails,ClientAppUsed

| project-rename SigninTimeMST=Column1, SigninTimeEST=Column2

Step 3. ?We are going to use the ‘HTML to Text’ connector and insert the ‘Attachment content’ ?into the converter.

Step 4. We are now going to add in our ‘Condition’ and tell it to give us a result if the text contains “Sign-in activity”.

Step 5. We now add “Outlook email v2” Send an Email, when our query returns a true response.

(make sure to add the ‘Attachments’ Parameter to the Email template)

You will need:

Mail to : Your security Group or Security team email

Subject: Break-glass Account Used – (Example)

Attachment Name: Break-glassAccountuse.html ( Make sure the attachment name ends in .html)

Attachment: (Use the ‘attachment content’ from the Dynamic Content list)

We can run our trigger and see a False output – as the account has not been used in the last 4 min.

To test, log in with the account you are monitoring from a separate browser (Google incognito) and then wait for the email to arrive.

This gives us the ability to respond to the alert that someone has used our account and stop their access by going to Azure Active Directory, to the user and blocking the user login.

Happy hunting. ??

Full Logic App Example: