Deep Diver – Azure AD Identity Protection (IPC) Alerts

This blog is all about Azure AD Identity Protection alerts (referred to provider name ”IPC” later on the blog post) in the Microsoft cloud ecosystem.

If you want to read how IPC works I encourage you to read my blog post or navigate straight to docs.microsoft.com.

IPC is an Azure AD P2 feature that has been in general availability mode for approx. three years. Earlier this year Microsoft did ”refresh” for IPC and added new detection capabilities and enhanced UI. Azure AD P2 feature means that it’s available in most expensive license packages.

You will get a taste of its features even with a free Azure AD license but all the cool features are included in AAD P2. Practically, IPC calculates user risk (online/offline) based on Machine Learning & AI and makes decisions based on policies, is user login approved, is MFA or password change needed or is user sign-in blocked.

Gimme The Alerts – Where are Those?

Azure AD Identity Protection (IPC) is a provider for multiple security solutions which means that alerts triggered in IPC can be found from multiple places (list below). Let’s have a closer look.

  • Azure AD Identity Protection blade
  • Intelligent Security Graph (ISG)
  • Azure Sentinel
  • Cloud App Security (MCAS)
  • Azure Security Center
  • Microsoft Threat Protection suite (MTP)
  • PowerShell for management

Azure AD Identity Protection Blade

Identity Protection UI resides in Azure AD where investigation and mitigations can be done. Btw, check my demo environment Identity Secure Score, 237 out of 265. Quite impressive even I say it myself 🙂

If a risk is detected admins (or dedicated email distribution list) will receive an alert as seen below. When a link is clicked, the person who received the email will land to the Identity Protection portal in Azure AD.

Intelligent Security Graph (ISG) aka Microsoft Security Graph

Identity Provider is one of the ISG providers, the full list of available providers at the time of writing can be found here. In pictures below are ISG high-level architecture and export from ISG alert from my tenant. In the latter one, you can see the provider highlighted with yellow color.

Microsoft Intelligent Security Graph (ISG)

Azure Sentinel

If you are using Azure Sentinel (a cloud-native SIEM which is a hot topic right now) and you have configured data connectors, and activated rule properly you will get IPC alerts to Azure Sentinel as incidents.

Azure Sentinel Identity Protection template rule basically raises an incident if an alert is generated in IPC.

Microsoft Cloud App Security

The IPC alert is also found from MCAS. As you can see from the picture below MCAS adds information to the alert and makes it more useful for the investigation. Btw, MCAS is the best solution in the Microsoft ecosystem to investigate internal user suspicious activity and behavior. If you are using it, I highly encourage you to get familiar with it and especially to UEBA capabilities.

I’m sold to it, totally:) But, I’m looking it only from the technical perspective, not from a financial perspective.

Azure Security Center (ASC)

IPC alerts are also found from Azure Security Center. ASC also provides a geolocation map which can be very useful to get a bigger picture of the attack.

Microsoft Threat Protection Suite (MTP)

MTP was just launched to public preview. Unfortunately, I don’t have such an environment available where it’s enabled. In a nutshell, it is a pre -and post-breach enterprise defense suite that natively integrates across endpoints, protecting:

  • Endpoints with Microsoft Defender ATP
  • Email and collaboration with Office 365 ATP
  • Identities with Azure ATP and Azure AD Identity Protection
  • Applications with Microsoft Cloud App security

More information from here and here.

PowerShell

This has slipped out of my radar totally. Microsoft released the PowerShell module for Microsoft Security Graph in April 2019. You can read more about it from here. In a nutshell, you need to do the following:

  • PowerShell v5 or above
  • Register App to Azure AD
  • User this URI: urn:ietf:wg:oauth:2.0:oob, it’s needed for desktop app redirect to work
  • Configure permissions to the App ( SecurityEvents.ReadWrite.All )
  • Grant Admin consent to the App
  • Install the module
  • Run and enjoy 🙂

In the Technet blog, there are multiple questions about App registration guidance. My 2cents:

  • When registering the App, grant API permissions for delegated mode (interactive login is used)
  • Grant SecurityEvents.Read.All & SecurityEvents.ReadWrite.All permissions to the App
  • Grant admin consent
  • When running the PowerShell – use you userprincipalName as username and AppID as password.

Using the module

Login with userPrincipalName + App ID. After the initial login, the modern authentication prompt appears (it’s encrypted by Finnish) and interactive login is processed together with Conditional Access policies.

Managing the Alerts

MicrosoftGraphSecurity module has following available commands

With Get-GraphSecurityAlert you can get all alerts from the ISG with Identity Protection alerts included.

Secure Score information is also available with Get-GraphSecuritySecureScore command.

Set ISG Alert

ISG alerts can be managed via PowerShell with Set-MicrosoftGraphSecurity cmdlet. Extremely useful if the alerts are sent to SIEM. The downside is that there isn’t any integration to the backends (providers).

Note: This means that even you update the alert status in ISG it will remain open in the ISG providers (Identity Protection, Cloud App Security etc.)

Summary

The Microsoft cloud ecosystem is huge and organizations have multiple security solutions available by default. Keep in mind that most of the advanced tools (including IPC, MCAS) require E5/A5, G5, P2 license. As seen above, synergy advantages are obvious.

What solutions to use is more a matter of cloud logging and monitoring strategy. From which sources you want to have an audit trail & events sent and to where? Where are you processing all the alerts, in SIEM or directly in Security solutions? And lastly, how operations are built around the solutions.

Until next time!

Enable Microsoft Security Graph Alerts in Log Analytics

While its not yet configurable in GUI, you can already today configure (with proper prerequisites) the preview for Security Graph API and Log Analytics Integration.

Side note: Similar Integration can be done for Event Hub, and its recommended while enabling LA integration to enable EH integration (if EH exists in tenant)
https://docs.microsoft.com/en-us/graph/security-qradar-siemintegration

While its not yet configurable in GUI, you can already today configure (with proper prerequisites) the preview for Security Graph API and Log Analytics Integration.

Alerts today include  (Check link for original reference)

https://docs.microsoft.com/en-us/graph/api/resources/security-api-overview?view=graph-rest-1.0

I will avoid using the word Azure Monitor here, as this integration is not really in my opinion tapping into any resource API in the Azure Monitor (unless you consider Azure Monitor as umbrella term

AAD Identity Protection Alert
Same alert in Log Analytics
The target in event hub ( I will do separate blog about ELK integration)

integration includes also Event Hub – which has been available for a good while already via similar method

Before proceeding: As always – read the disclaimer in the bottom of the page) I put the disclaimer up also here to emphasize its matter, not just as an escape clause

How To: integration with Log Analytics

  • Disclaimer: The behavior may vary per tenant
  • It took few hours till events started popping up in Log Analytics and event hub
  • To enable the integration You can use existing AAD tokens in cache to achieve this
    • I’ve usually preffered the ADAL libraries to do this bit more simply, but in this case we want to use the AzureRM module to populate parts of the script simply (/done similarly here)


Login-AzureRmAccount
$ctx =Get-AzureRmContext
Get-AzureRmSubscription | Out-GridView -PassThru |Set-AzureRmContext

$rmEndpoint ="https://management.azure.com/providers/Microsoft.SecurityGraph/diagnosticSettings/securityApiAlerts?api-version=2017-04-01-preview"

#Details from IAM API
$Token = Invoke-RestMethod "https://login.windows.net/common/oauth2/token" -Method POST -Body @{
   grant_type="refresh_token"
   refresh_token = ($ctx.TokenCache.ReadItems() | Out-GridView -PassThru ).refreshToken
   content_type = "application/json"
   resource="https://management.core.windows.net/"
}

$json = '
{
  "location": "",
  "properties": {
      "workspaceId": null,
    "name": "securityApiAlerts",
    "serviceBusRuleId": "/subscriptions/SUBSCRIPTION_ID/resourceGroups/RESOURCE_GROUP/providers/Microsoft.EventHub/namespaces/EVENT_HUB_NAMESPACE/authorizationrules/RootManageSharedAccessKey",
    "logs": [
      {
        "category": "Alert",
        "enabled": true,
        "retentionPolicy": {
          "enabled": true,
          "days": 7
        }
      }
    ]
  }
}
' | ConvertFrom-Json 

$json.properties.serviceBusRuleId = ( (Get-AzureRmResource | where {$_.ResourceType -match "Eventhub"}| Out-GridView -PassThru).resourceID  + "/authorizationrules/RootManageSharedAccessKey")

$json.properties.workspaceId = ((Get-AzureRmOperationalInsightsWorkspace | Out-GridView -PassThru ).resourceID)

$data = Invoke-RestMethod -Uri $rmEndpoint -Method Put -Body ($json | ConvertTo-Json -Depth 4) -UseBasicParsing -Headers @{
Authorization = ($Token.token_type) +" "+ ($Token.access_token)
} -ContentType "application/json; charset=utf-8"



Comment from @samilamppu

its quite likely, that you need to have Security Center Standard with proper event coverage enabled, to get the Node for security alerts under LA

Br,

Joosua