
Summary
The Azure Active Directory PowerShell Sign-in rule identifies sign-ins made using the Azure AD PowerShell module, which is often used by IT professionals to manage Azure Active Directory settings effectively from the command line. This rule is crucial as unauthorized access via this module could indicate a security breach, especially if executed by users not part of the IT or engineering teams. The rule operates by querying specific event logs related to Azure AD sign-ins, focusing on cases where the PowerShell module is used. False positives are acknowledged as legitimate sign-ins can occur for administrative tasks; therefore, a detailed investigation is recommended for unfamiliar users or hosts. The necessary investigation steps include tracing the user actions, assessing the account's need to access Azure AD via PowerShell, and scrutinizing the security implications of any actions taken during the sign-in session. The guidance includes responses to manage incidents appropriately, such as disabling accounts under suspicion and reviewing for regulatory impacts.
Categories
- Cloud
- Identity Management
Data Sources
- User Account
- Application Log
ATT&CK Techniques
- T1078
- T1078.004
Created: 2020-12-14