July 25, 2024
4
min read

Investigate Microsoft EntraID identities in minutes

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations. In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID.

Alfred Huger
Cofounder & CPO
In this article

Introduction

Identity-based investigations are one of the most common analyses for security operations. These leads get under the spotlight because of an HR event (various watchlists or user’s last day), a potential compromise (as a result of business email compromise, phishing, password spray or other vectors) or suspicious behavior. Swiftly understanding who or what (for non-human users) these identities belong to, the historical context and recent behavior are key to conducting effective investigations.  

User identities live on multiple systems supported by Command Zero, including identity providers, cyber and non-cyber solutions and SaaS. One of the powers of the platform is enabling cross-system interrogation to paint the complete narrative for any user. Interrogating universal data sources using the pre-built questions and sequences on Command Zero improves efficiency for all analysts and lowers the barrier of entry for less-known data sources.  

In this blog post, I’ll walk you through a sample watchlist investigation on Microsoft EntraID. While we can expand any investigation to other data sources, I'll keep the focus on EntraID to simplify this example flow.  

Act1: Inbound HR request & first observations

It’s 8.43 on Thursday morning, you receive a new ServiceNow request from HR: “Review permissions and recent activity of Steven and Natalie”. Instead of digging into Splunk, EntraID, Graph and five other systems, or having to schedule working sessions with identity administrators, you decide to run this analysis using Command Zero.  

You start by looking at the information about Steven and Natalie. This overview of users reveals important information including the groups they belong to, their usernames, emails and registered devices.  

Analysts can review all groups a user belongs to and expand the investigation into these groups if necessary.
Analysts can go through the notes for Steven and get up to speed on the historical context and findings.
Current and past investigations that have the same lead can help better understand the complete context on identities.

As you review summaries about Steven and Natalie, you find that these users also have Okta and GitHub users and add these identities as additional leads to the investigation, along with the registered devices and IP addresses these users are associated with.

Before diving back into the investigation, you review failed MFA challenges and risky sign in activities about Steven:

Bingo! You find two IP addresses from the risk sign-in activities, both of which you also promote in the investigation.

Act2: Digging into user behavior  

Now that we’ve got the overview of Natalie and Steven, we can start digging into their recent user behaviors. We can interrogate all connected resources (such as CrowdStrike for endpoint, Okta for other associated identities, or GitHub for code repository activities) for these users, for the sake of this example, we’ll limit our focus to Microsoft EntraID.  

Initially, we can ask the following questions to identify suspicious behavior:  

  • Was there a failed attempt to change the user’s password?  
  • What account administration actions were performed by this user?  
  • What application consents have been granted by this user?  
Interrogating identities using pre-built questions helps speed up analysis and standardize the flow.

In this case, the answer to these questions was no. Meaning, none of these potentially malicious behaviors were observed in the given time frame. We can expand time frame to re-run the same questions and look for more answers:

Analysts can easily update the time range of questions and re-run questions to get a broad set of results.

Assuming the answers are still no – meaning no rabbit holes to dig further into, we can now run facets (pre-built question sequences) to ask more questions and get to interesting patterns more quickly:

Facets are dynamic playbooks. They can run fully blown investigations or can kickstart analysis by executing a sequence of questions.

In this case, let’s run an “impossible travel” facet to see if we can find suspicious activities focused on IP addresses and geolocation.

The impossible travel facet returns three distinct IPs which were already part of our investigation.
For each repeated lead, you can review the connections and where else this lead surfaced.

Act 3: Chasing the involved IP addresses

Now, we must confirm these three IP addresses are trusted. To do this, we run facets on these IP addresses. Two out of three turn out to be office IP addresses. The third one is more interesting:  

This is an unknown IP address from a foreign country we don’t operate in. This is suspicious!

The same unfamiliar sign-in facet reveals that this IP has multiple failed and successful logins:

This foreign IP has successfully logged into Natalie’s and Johanna’s users.

Now we will expand the investigation further into Natalie’s user and add Johanna to the investigation as a new lead. Once these leads are fully exhausted, you can build the incident timelines, generate summaries and share with the HR team to close this request in minutes.

Conclusion

Command Zero augments tier-2 and tier-3 analysts, threat hunters and incident responders by doing the heavy lifting. In this example, an analyst was able to review two users on the watchlist, confirm that one user didn’t have suspicious behavior and find suspicious activities for the other user, along with a new lead (Johanna) to expand the investigation.

It is now 8.47 AM on Thursday, and the initial investigation for Natalie and Steven is complete: All in 4 minutes, without technology specific expertise or direct access to EntraID or other systems involved in this flow.  Next in this series, well cover a sample use case for Okta as the identity provider.

Please check out our identity-based investigations page and use case demo to learn more.

Alfred Huger
Cofounder & CPO

Continue reading

Identity-investigations
Highlight

Accelerate Okta investigations – sample account takeover analysis

Okta is one of the most used identity providers with various identity and access management solutions. Like other IDAM providers, Okta is a valuable resource for starting identity investigations. Impactful identity and authorization patterns including user password changes, password policies, multi-factor authentication (MFA) alerts and application consent grants can be reviewed on Okta during investigations. In this post, we’ll follow a potential account takeover flow starting from Okta alerts ingested by Command Zero. While we can expand any investigation to other data sources, I'll keep the focus on Okta to simplify this example flow.
Eric Hulse
Aug 2, 2024
6
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.