Join Pete Zerger for an in-depth discussion in this video Investigating risk events, part of Microsoft Cybersecurity Stack: Advanced Identity and Endpoint Protection.
- [Instructor] Investigation of risk event in Azure AD Identity Protection usually starts with the identity protection dashboard. So we'll begin by logging into the Azure portal, at portal.azure.com, you'll see I'm prompted with my branded log on screen, and immediately, I'm taken to the Azure portal. I'll click on Azure AD Identity Protection, which I have pinned to my dashboard. You can use the more services option to search for that feature if you don't have it pinned to your start menu, on the left or your dashboard.
And here, I'll notice that I have three reports, my reports in the left column here are users flagged for risk, which reports on accounts that may be compromised, risk event, which reports on recent risky sign-ins, and other events and vulnerabilities, which speaks to our configuration of Azure AD. So we'll have a look at users flagged for risk to see what types of activities are being flagged here. So I'll see, Pete Zerger is listed here, and when I scroll down to look at his risk events, I can see an impossible travel to a typical location.
And you notice here, I have an option to resolve this issue, ignore it, mark it as a false positive, or I can reach out to this user and take some action. And you'll notice right here in fact, I can reset that user's password if I'd like to trigger any sort of immediate remediation. To go down the list and have a look at risk events now, so these are recent risk events in our environment, and here we have something that's a medium risk, sign-ins from an anonymous IP address.
So, we do notice here, we have a couple of users repeatedly logging in from odd locations with anonymous IP. So something perhaps worth investigating, and we can drill down into the individual user, dismiss these events, or proceed with an immediate password reset. If we're interested, and I can even pull up the affected user's entire sign-in history here to make a determination as to my next step. And finally, let's have a look at vulnerabilities, again speaking to our configuration, and we have a few issues here.
Looks like we have some users without multi-factor authentication registration in place, which is going to be a pre-requisite for our risk-based policies. We have some roles in our privilege identity management that don't require multi-factor authentication, again something contrary to best practice, but let's look at this one here. Too many global administrators in our Azure Active Directory, a really common problem, but you'll notice here that it's something we can fix pretty quickly. And don't worry about the blank button here, that's simply an option to show more detail around the effective alert.
So, we have our users who are flagged here, for permanent privilege elevation, you'll notice that one user is not flagged here, that's because we're using the privileged identity management feature, which we'll talk about in another session, but I can select these users with permanent elevation, and you'll notice here I can simply select fix selected, and fix means this will address their privilege level.
And you'll notice here it mentions that to prevent this next time, we can follow the security principle of least privilege. So, basically configuring fewer global administrators. If you tie your investigation activities to the notifications Azure AD Identity Protection sends via emails, you can ensure you're responsive without the need to spend hours watching the console. Mitigating a sign-in risk means taking an action to limit the ability of an attacker to exploit a compromised identity or a device without restoring the identity or device to a safe state.
Automating response when there is risk or compromises, a feature needed by everyone, so I encourage you to enable an Azure Active Directory Premium Plan 2 trial and give Azure AD Identity Protection a try today.
- Configuring virtual-based security
- Securing email
- Implementing post-breach defense
- Protecting the cloud with Azure AD
- Using Windows Defender ATP
- Managing privileged access in Azure