SoC 运营 — Azure AD 设备与用户身份的确认
Revision 20230421
用户自助更改密码
ELK 查询 Query:
decoder.name: "AzureGraphAPI-json" and data.azure.targetResources.type: "User" and data.azure.activityDisplayName: "*password*"数据来自 Azure AD 审计日志,使用 MS Graph API 获取。
用户登录过程经过 2FA (Managed Account)
WS-Federation Protocol: https://auth0.com/docs/authenticate/protocols/ws-fed-protocol
Strong MFA Endpoints: https://learn.microsoft.com/en-us/microsoft-365/troubleshoot/diagnostic-logs/fiddler-trace-logs-for-mfa
MFA starts with SAS:BeginAuth - 进入 MFA 认证
After MFA authorization has begun, the client starts to query the same endpoint for the SAS:EndAuth method every 10 seconds to check whether authentication has completed.
SAS:ProcessAuth are currently processing the MFA security authentication, 此 URL Endpoint 用于 MFA 后请求 Session Token 后置于 Cookie 中。
Office 365 Mgmt Activity API Schema
RecordType
15 AzureActiveDirectoryStsLogon Secure Token Service (STS) logon events in Azure Active Directory.
StsLogon.DeviceProperties.TrustType
DeviceProperties Collection(Common.NameValuePair) This property includes various device details, including Id, Display name, OS, Browser, IsCompliant, IsCompliantAndManaged, SessionId, and DeviceTrustType. The DeviceTrustType property can have the following values:
0 — Azure AD registered (Registered to Azure AD without requiring organizational account to sign in to the device, mostly BYOD, also known as Workplace joined, allowed to use end-user local credential and MAM, MDM. Allow all devices including mobiles and Ubuntu 20.04/22.04 and Windows 10 or newer.)
1 — Azure AD joined (Joined only to Azure AD requiring organizational account to sign in to the device, allowed to use MDM or SCCM and can be self-provisioned. Require Server 2019+, except Win10 Home Editions.)
2 — Hybrid Azure AD joined (Joined to on-premises AD and Azure AD requiring organizational account to sign in to the device, this must be used when system > Win 2008R2 and cannot be used on mobile device. This can only be provisioned via SCCM, GPO or Intune MDM.)
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-register
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join
https://learn.microsoft.com/en-us/azure/active-directory/devices/concept-azure-ad-join-hybrid
Impossible Travel 告警的查询
和 Mass Delete 告警一致,主要通过 AAD SessionID 和 CorrelationID (InterSystemID) 关联用户登录的 Session,用户登录过程中 STS 认证可以通过查看设备 TrustType 和 认证过程的 2FA / 入域 / 受 MDM 管控配合 EDR 告警确认系统终端和用户是否存在异常或启动了 VPN 进程进而处置告警。
User under Same Tenant with Different Domain Name
使用 Custom Domain Name 的情况下,在同一个 Azure AD Directory 下面,同一个 Identities Tenant 下,不同域名的账户不互通。
可以考虑使用 Multi-Forest under same AAD Connect 的情况互通的可能性。
另外,在此基础上,告警中的 f3u 字段是否是用户的唯一标识,值得商榷。
Azure Identity Protection
通过 Conditional Access 策略配置用户登录行为及登录风控策略,考虑禁用 Legacy Authentication。原有的 User Risk Policy, Sign-in Risk Policy 将被逐步启用。
Push Notification MFA Fatigue: push amount limitation, push prompt including additional number matching