Cloud Identity Threat Protection Essentials

Cloud Identity Threat Protection Essentials Logo

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Attribute	Value
Publisher	Microsoft Corporation
Support Tier	Microsoft
Support Link	https://support.microsoft.com
Categories	domains
Version	3.0.3
Author	Microsoft - support@microsoft.com
First Published	2022-11-16
Solution Folder	Cloud Identity Threat Protection Essentials
Marketplace	Azure Marketplace · Popularity: 🔵 Medium (57%)
Pre-requisites	Microsoft Entra ID, Amazon Web Services, Microsoft Entra ID Protection

As more and more companies move to the cloud - attacks to the cloud identity system are becoming more commonplace. The Cloud Identity Threat Protection Essentials solution looks for most common cloud focused identity attacks such as Suspicious Sign-ins, privilege grants, MFA disable etc. Rapid detection of these attacks can enable organizations to respond faster and stop them from progressing further.

For details on the required solutions, see the Pre-requisites section below.

Keywords: MFA, Nord VPN, VPS, Disabled Account, Suspicious Sign-in, Service principal

Pre-requisites
Data Connectors
Tables Used
Content Items

Pre-requisites

This solution depends on 3 other solution(s):

Solution
Amazon Web Services
Microsoft Entra ID
Microsoft Entra ID Protection

Data Connectors

This solution does not include its own data connectors but uses connectors from dependency solutions:

Amazon Web Services (dependency on Amazon Web Services)
Amazon Web Services S3 (dependency on Amazon Web Services)
Amazon Web Services S3 WAF (dependency on Amazon Web Services)
Microsoft Entra ID (dependency on Microsoft Entra ID)
Microsoft Entra ID Protection (dependency on Microsoft Entra ID Protection)

Tables Used

This solution queries 3 table(s) from its content items:

Table	Used By Content
`AWSCloudTrail`	Analytics
`AuditLogs`	Analytics, Hunting
`SigninLogs`	Hunting

Internal Tables

The following 3 table(s) are used internally by this solution's content items:

Table	Used By Content
`BehaviorAnalytics`	Hunting
`IdentityInfo`	Hunting
`SecurityAlert`	Hunting

Content Items

This solution includes 10 content item(s):

Content Type	Count
Hunting Queries	8
Analytic Rules	2

Analytic Rules

Name	Severity	Tactics	Tables Used
Multi-Factor Authentication Disabled for a User	Medium	CredentialAccess, Persistence	`AWSCloudTrail` `AuditLogs`
New External User Granted Admin Role	Medium	Persistence	`AuditLogs`

Hunting Queries

Name	Tactics	Tables Used
Application Granted EWS Permissions	Collection, PrivilegeEscalation	`AuditLogs` Internal use: `SecurityAlert`
Detect Disabled Account Sign-in Attempts by Account Name	InitialAccess	`SigninLogs` Internal use: `IdentityInfo`
Detect Disabled Account Sign-in Attempts by IP Address	InitialAccess	`SigninLogs`
Interactive STS refresh token modifications	CredentialAccess	`AuditLogs`
Sign-ins From VPS Providers	InitialAccess	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
Sign-ins from Nord VPN Providers	InitialAccess	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
Suspicious Sign-ins to Privileged Account	InitialAccess	`SigninLogs` Internal use: `BehaviorAnalytics` `IdentityInfo`
User Granted Access and Grants Access to Other Users	Persistence, PrivilegeEscalation	`AuditLogs`

Release Notes

Version	Date Modified (DD-MM-YYYY)	Change History
3.0.3	28-02-2024	Removed usage of BlastRadius from Hunting Queries
3.0.2	09-02-2024	Tagged for dependent solutions for deployment
3.0.1	16-01-2024	Sub-techniques added for Analytical Rules
3.0.0	07-11-2023	Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID.