Let's see how an analyst using Vectra can detect and respond to attackers targeting Azure AD federated applications and the Azure AD backend.
You can see email@example.com is prioritized as an active compromise with several different Vectra detections correlated to the account.
Let's firstname.lastname@example.org to understand what might be happening.
You can see the account performed several actions that triggered alerts, including
Let's take a deeper look at these alerts by clicking Expand All.
You can see details of a sign-on that could be the start of an account compromise.
This alert was generated by an AI algorithm that considers 20+ different attributes of the sign-in to determine if this is an attacker sign-in.
To understand more about this type of Vectra detection, click ? to review the in-app explanation page.
Review the explainer page and find the details that will help us respond to alerts like the MITRE ATT&CK techniques, actions that trigger the detection, and the impact of the attacker's behavior.
When you are done reviewing, click x to continue investigating the sign-in event.
Now that we understand how this detection works, let's investigate and understand:
The investigation reveals that this was a compromised access event.
The attacker bypassed MFA, and anomalously signed-in from Russia with a Windows device.
Let's investigate deeper to understand more about what the attacker accessed.
Let's investigate the raw logs to see what other actions the attacker has done.
Click Instant Investigation for query-less access to the account's historical activity in Azure AD and M365.
We can complete our investigation by looking at email@example.com's historical Azure AD and M365 activity.
Let's focus on the Azure AD Sign-in activity to understand if this compromised account accessed other SaaS services.
This look like the malicious access from before.
Click the row to see all the services accessed.
We can see that the attacker accessed Salesforce and Box in addition to the Powershell module.
We have enough information to stop the attacker by disabling the account and blocking the attacker's access.
Vectra not only detects attackers but can also help prevent them.
Let's look at this dashboard to see the normal user access activity related to security controls and validate whether controls put in place are being bypassed.
One security control we can review is who has access to Powershell.
Click AzureAD PowerShell Logins to see who else has access to Powershell and review if we should limit their access.
You can see the compromised access from firstname.lastname@example.org and a few other users.
We can now block email@example.com and the other users' access to Powershell to prevent its use in future attacks.