Week 21, 2024

New Check: Access from Dormant Account

Adversaries often target inactive accounts that linger in an organization’s system because they still retina access to critical applications, data and system that the end-user once needed, but these accounts often are not configured with MFA and/or are not monitored closely as no one knows they exist. If an adversary successfully accesses this account, they can also make changes to the account to maintain persistence in the environment.

In this release, we are introducing a new alert, ‘Access from Dormant Account’ aimed at enhancing security monitoring on inactive accounts that have recently been accessed. This check identifies user accounts that have successfully logged in within the last 7 days but had not logged in during the previous 30-day window and are not newly created accounts. You can easily adjust the evaluation periods via Check Settings.

For more detailed insight into the dormant account, you can find additional context in the explainability drawer when selecting a failing user. This information provides details such as the providers failing the check, the failed user, their role, and the applications accessed with the dormant account and more. Having access to this information helps administrators detect potentially suspicious activity on inactive accounts, which could indicate a security breach or unauthorized access. By monitoring these activities, you can quickly respond to any potential risky behavior and take proactive steps to clean up and secure your system.

Updates to “Admin Role Assigned to User” check

The “Admin Role Assigned to User” check is now supported for Microsoft EntraID (previously compatible with Okta and Github only). For EntraID, we will alert on global administrator privilege grants only, as there are various types of less critical administrator types available in Entra. By expanding support to Microsoft Entra ID, administrators using these platforms can benefit from enhanced monitoring and security controls.

We have also updated the logic of this check for all data sources (Okta, Github, EntraID) to trigger the check failure on the target user account, the user who was granted administrator rights, rather than the initiator, the user who granted the administrator privileges. This change improves the accuracy of the check by ensuring it correctly identifies the user who received the admin role, allowing for more precise monitoring and auditing.

This is a look into the updated explainability for this check:

Bug Fixes and Minor Improvements

• Test Message UX Improvements. Enhancements have been made to the user experience for testing messages, making it more intuitive and user-friendly. You can now send test messages directly from the configuration screen. The Improved UX in test messages ensures that administrators and users can quickly and effectively understand test notifications.