In this article, I will share with you some Azure Active Directory Use Cases created by Microsoft.
|Use Case Name
|Anomalous sign-in location by user account and authenticating application
|This query over Azure Active Directory sign-in considers all user sign-ins for each Azure Active Directory application and picks out the most anomalous change in location profile for a user within an individual application. An alert is generated for recent sign-ins that have location counts that are anomalous over last day but also over the last 3-day and 7-day periods.
|Azure Active Directory PowerShell accessing non-AAD resources
|This will alert when a user or application signs in using Azure Active Directory PowerShell to access non-Active Directory resources, such as the Azure Key Vault, which may be undesired or unauthorized behavior.
|Attempt to bypass conditional access rule in Azure AD
|Identifies an attempt to Bypass conditional access rule(s) in Azure Active Directory.
The ConditionalAccessStatus column value details if there was an attempt to bypass Conditional Access or if the Conditional access rule was not satisfied (ConditionalAccessStatus == 1).
|Attempts to sign in to disabled accounts
|Identifies failed attempts to sign in to disabled accounts across multiple Azure Applications.
Default threshold for Azure Applications attempted to sign in to is 3.
50057 – User account is disabled. The account has been disabled by an administrator.’
|Distributed Password cracking attempts in AzureAD
|Identifies distributed password cracking attempts from the Azure Active Directory SigninLogs.
The query looks for unusually high number of failed password attempts coming from multiple locations for a user account.
50053 Account is locked because the user tried to sign in too many times with an incorrect user ID or password.
50055 Invalid password, entered expired password.
50056 Invalid or null password – Password does not exist in store for this user.
50126 Invalid username or password, or invalid on-premises username or password.
|Explicit MFA Deny
|User explicitly denies MFA push, indicating that login was not expected and the account’s password may be compromised.
|Failed login attempts to Azure Portal
|Identifies failed login attempts in the Azure Active Directory SigninLogs to the Azure Portal. Many failed logon attempts or some failed logon attempts from multiple IPs could indicate a potential brute force attack.
The following are excluded due to success and non-failure results:
0 – successful logon
50125 – Sign-in was interrupted due to a password reset or password registration entry.
50140 – This error occurred due to ‘Keep me signed in’ interrupt when the user was signing-in.
|Sign-ins from IPs that attempt sign-ins to disabled accounts
|Identifies IPs with failed attempts to sign in to one or more disabled accounts signed in successfully to another account.
50057 – User account is disabled. The account has been disabled by an administrator.
|Brute force attack against Azure Portal
|Identifies evidence of brute force activity against Azure Portal by highlighting multiple authentication failures and by a successful authentication within a given time window.
(The query does not enforce any sequence – eg requiring the successful authentication to occur last.)
Default Failure count is 5, Default Success count is 1 and default Time Window is 20 minutes.
|Password spray attack against Azure AD application
|Identifies evidence of password spray activity against Azure AD applications by looking for failures from multiple accounts from the same IP address within a time window. If the number of accounts breaches the threshold just once, all failures from the IP address within the time range are bought into the result. Details on whether there were successful authentications by the IP address within the time window are also included.
This can be an indicator that an attack was successful
|Successful logon from IP and failure from a different IP
|Identifies when a user account successfully logs onto an Azure App from one IP and within 10 mins failed to logon to the same App via a different IP.
This may indicate a malicious attempt at password guessing based on knowledge of the users account.