Query Details

Detect when login is performed using a specified account (Cloud break glass account)

Monitor Cloud Break Glass Account

Query

AADSignInEventsBeta
| where AccountDisplayName  == "Input display name of account here"
| project AccountDisplayName,
     Country,
     IPAddress,
     Timestamp,
     Application,
     DeviceName,
     ReportId,
     LogonType,
     SessionId,
     OSPlatform,
     AccountObjectId,
     AccountUpn

About this query

Detect when login is performed using a specified account (Cloud break glass account)

Query Information

Description

It is best practice to have break glass accounts, which are excluded from all conditional access policies. To monitor all login activities under a specified account, this Detection Rule can be used. If any activity is performed using the specified account, an alert will be generated.

Risk

If an attacker could get access to a break glass account, this account could be used to bypass all conditional access rules, and get unrestricted access to the environment.

Author

Defender XDR

Sentinel

SigninLogs
| where UserDisplayName  == "Input display name of account here"
| project UserDisplayName,
     Location,
     IPAddress,
     TimeGenerated,
     AppDisplayName,
     DeviceDetail,
     UserPrincipalName

Explanation

This query is designed to monitor and detect login activities for a specific "break glass" account, which is a special account used for emergency access and is typically exempt from conditional access policies. The query is set up to generate alerts whenever this account is used to log in, as unauthorized access to such an account could lead to unrestricted access to the system.

Here's a simple breakdown of the query:

  1. Purpose: To track and alert on login activities for a specified break glass account to ensure it is not being misused.

  2. Risk: If an attacker gains access to this account, they could bypass security measures and gain full access to the system.

  3. Query Details:

    • Defender XDR Query: Searches the AADSignInEventsBeta log for login events where the account display name matches the specified break glass account. It retrieves details like the country, IP address, timestamp, application used, device name, and more.
    • Sentinel Query: Searches the SigninLogs for similar login events, focusing on the user display name, location, IP address, time of login, application used, and device details.
  4. Usage: Replace "Input display name of account here" with the actual display name of the break glass account you want to monitor.

By using this query, administrators can keep a close watch on critical accounts and respond swiftly to any unauthorized access attempts.

Details

Bert-Jan Pals profile picture

Bert-Jan Pals

Released: October 20, 2024

Tables

AADSignInEventsBetaSigninLogs

Keywords

AADSignInEventsBetaAccountDisplayNameCountryIPAddressTimestampApplicationDeviceNameReportIdLogonTypeSessionIdOSPlatformAccountObjectIdAccountUpnSigninLogsUserDisplayNameLocationTimeGeneratedAppDisplayNameDeviceDetailUserPrincipalName

Operators

==|project

Actions

GitHub