Microsoft Entra ID Admin Activity Anomaly
Last updated
Last updated
Detects new administrative actions performed by account or on actions performed on multiple targets simultaneously. Identity Intelligene detects recent administrative actions within the past 90 days, alerting on those performed by an account on 10 or more targets within a 10-minute period.
Adversaries may create/modify an account to maintain access to victim systems or to modify the configuration settings to evade defenses and/or escalate privileges.
Recommended Actions
Verify with the account the reason for the changes.
Please note that many alerts will represent accounts/application lifecycle (join/leave/move) so it's important to check the context of the action.
Read below for more detailed remediation recommendations
Default Check Settings
numberOfDistinctTargets: 10
timeframeMinutes: 10
Compatibility
Identity Intelligence provides insights into anomalous user behavior for both Azure AD and Okta platforms. The intention is to highlight unusual activity that may be indicators of either privilege escalation or other invasive/evasive tactics used by threat actors within an environment.
The anomalous behavior can include a variety of different actions. This articles provides an understanding of the different categories. The core criteria to trigger this insight is the following:
A user performing an administrative action (defined below) that they have not previously done over the past 90 days
A user taking a high velocity of administrative actions in a short period of time (configurable, see below)
For high velocity admin actions, the default configuration is 10 targets or objects (users, groups, devices) in 10 minutes, as mentioned above under "Default Check Settings". This is configurable via the Check Settings.
For Entra ID environments, the check is based on events collected from Entra ID Directory Audits.
Specifically, the category
field from the directoryAudit resource type is referenced and presented in Identity Intelligence events and notifications for this check.
Category: Indicates which resource category that's targeted by the activity. For example: UserManagement, GroupManagement, ApplicationManagement, RoleManagement.
From a security and governance perspective, anomalous admin actions and activity - both rare actions or bulk actions taken against a large number of objects - should be reviewed and confirmed with either:
Known normal behavior for that end user within the platform
A service ticket, request, or temporary privilege escalation that explains and justified the actions taken
Check failure events can be marked as Suspicious or Normal Behavior to log the result of an investigation within the Identity Intelligence platform either on the Failing Check page or on a given user's Checks tab in the User 360. These two feedback options are also available directly in your messaging system, if you have configured the check to send alerts to tools such as Slack, Teams or Webex, and your selected response will be sent back to the Identity Intelligence platform. These triage responses not only mitigate the user so that they are no longer failing the check but also provide the Data team for Identity Intelligence with valuable insight to enhance the accuracy of the platform and it's detections.