You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/fundamentals/security-operations-privileged-accounts.md
+3-2Lines changed: 3 additions & 2 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -138,7 +138,8 @@ You can monitor privileged account sign-in events in the Azure AD Sign-in logs.
138
138
| Discover privileged accounts not registered for MFA. | High | Azure AD Graph API| Query for IsMFARegistered eq false for administrator accounts. [List credentialUserRegistrationDetails - Microsoft Graph beta](/graph/api/reportroot-list-credentialuserregistrationdetails?view=graph-rest-beta&preserve-view=true&tabs=http)| Audit and investigate to determine if intentional or an oversight. |
139
139
| Account lockout | High | Azure AD Sign-ins log | Status = Failure<br>-and-<br>error code = 50053 | Define a baseline threshold, and then monitor and adjust to suite your organizational behaviors and limit false alerts from being generated. |
140
140
| Account disabled/blocked for sign-ins | Low | Azure AD Sign-ins log | Status = Failure<br>-and-<br>Target = user UPN<br>-and-<br>error code = 50057 | This could indicate someone is trying to gain access to an account once they have left an organization. Although the account is blocked, it's still important to log and alert on this activity. |
141
-
| MFA fraud alert/block | High | Azure AD Sign-ins log/Azure Log Anaylitics | Succeeded = false<br>-and-<br>Result detail = MFA denied<br>-and-<br>Target = user | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
141
+
| MFA fraud alert/block | High | Azure AD Sign-ins log/Azure Log Anaylitics | Sign-ins>Authentication details Result details = MFA denied, Fraud Code Entered | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
142
+
| MFA fraud alert/block | High | Azure AD Audit Log log/Azure Log Anaylitics | Activity Type = Fraud Reported - user is blocked for MFA or Fraud reported - no action taken (based on tenant level settings for fraud report) | Privileged user has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account. |
142
143
| Privileged account sign-ins outside of expected controls. || Azure AD Sign-ins log | Status = failure<br>UserPricipalName = \<Admin account\><br>Location = \<unapproved location\><br>IP Address = \<unapproved IP\><br>Device Info= \<unapproved Browser, Operating System\>| Monitor and alert on any entries that you have defined as unapproved. |
143
144
| Outside of normal sign in times | High | Azure AD Sign-ins log | Status =success<br>-and-<br>Location =<br>-and-<br>Time = outside of working hours | Monitor and alert if sign-ins occur outside of expected times. It is important to find the normal working pattern for each privileged account and to alert if there are unplanned changes outside of normal working times. Sign-ins outside of normal working hours could indicate compromise or possible insider threats. |
144
145
| Identity protection risk | High | Identity Protection logs | Risk state = at risk<br>-and-<br>Risk level = low/medium/high<br>-and-<br>Activity = Unfamiliar sign-in/TOR, etc. | This indicates there is some abnormality detected with the sign in for the account and should be alerted on. |
@@ -263,4 +264,4 @@ See these security operations guide articles:
263
264
[Security operations for devices](security-operations-devices.md)
264
265
265
266
266
-
[Security operations for infrastructure](security-operations-infrastructure.md)
267
+
[Security operations for infrastructure](security-operations-infrastructure.md)
0 commit comments