Query Details
Monitor Cloud Break Glass Account
Query
# Detect when login is performed using a specified account (Cloud break glass account)
## Query Information
#### Description
It is best practice to have break glass accounts, which are excluded from all conditional access policies. To monitor all login activities under a specified account, this Detection Rule can be used. If any activity is performed using the specified account, an alert will be generated.
#### Risk
If an attacker could get access to a break glass account, this account could be used to bypass all conditional access rules, and get unrestricted access to the environment.
#### Author
- **Github: https://github.com/erikgruetter**
## Defender For Endpoint
```
AADSignInEventsBeta
| where AccountDisplayName == "Input display name of account here"
| project AccountDisplayName,
Country,
IPAddress,
Timestamp,
Application,
DeviceName,
ReportId,
LogonType,
SessionId,
OSPlatform,
AccountObjectId,
AccountUpn
```
## Sentinel
```
SigninLogs
| where UserDisplayName == "Input display name of account here"
| project UserDisplayName,
Location,
IPAddress,
TimeGenerated,
AppDisplayName,
DeviceDetail,
UserPrincipalName
```
Explanation
This query helps detect when someone logs in using a specific account called a break glass account. It monitors all login activities under that account and generates an alert if any activity is detected. This is important because if an attacker gains access to this account, they could bypass security rules and gain unrestricted access to the system.
Details
Bert-Jan Pals
Released: May 17, 2024
Tables
AADSignInEventsBeta
SigninLogs
Keywords
AccountDisplayName,UserDisplayName,AADSignInEventsBeta,SigninLogs,Country,IPAddress,Timestamp,Application,DeviceName,ReportId,LogonType,SessionId,OSPlatform,AccountObjectId,AccountUpn,Location,TimeGenerated,AppDisplayName,DeviceDetail,UserPrincipalName
Operators
==|where==project