New Azure User Logged In From Bad Source
This alert occurs when Lacework detects a new Azure user has logged in from a known bad source for the first time.
Why this Alert is Important
This detection indicates sign-in from a malicious IP address. An IP address is considered malicious based on the high failure rates because of invalid credentials received from this IP address or other IP reputation sources.
Investigation
Login from a bad source indicates potential unauthorized access or a compromise of the user's credentials. If an attacker gains access to a user's account, they can potentially access sensitive information or take malicious actions within your organization's Azure environment.
Here are some inquiries you can leverage to investigate:
- Confirm if the IP address shows suspicious behavior in your environment.
- Does the IP generate a high number of failures for a user or set of users in your directory?
- Is the traffic of the IP coming from an unexpected protocol or application, for example Exchange legacy protocols?
- If the IP address corresponds to a cloud service provider, rule out that there are no legitimate enterprise applications running from the same IP.
Resolution
After detecting anomalous behavior, Lacework recommends the following resolutions:
- Disable the user's account: If the login attempt was made using compromised credentials, immediately disable the user's account to prevent any further unauthorized access.
- Reset the user's password: In case the user's credentials were compromised, change the user's password immediately to prevent further unauthorized access.
- Verify the user's identity: Contact the user and verify their identity to ensure that they are the legitimate user of the account. If the user is unable to verify their identity, take additional remediation steps such as resetting the account or revoking access to resources.
- Investigate the source of the bad login attempt: Identify the source of the bad login attempt by reviewing the IP address, geographic location, or other information associated with the login attempt. Use threat intelligence sources to determine whether the source is associated with malicious activity.
- Implement additional security controls: Depending on the results of the investigation, consider implementing additional security controls such as multi-factor authentication or conditional access policies to prevent future unauthorized access attempts.
- Review access controls: Review the access controls of the user's account and the Azure resource they accessed. Review the access policies, resource groups, and network settings to ensure they align with your organization's security and compliance requirements.
- Monitor for further suspicious activity: Monitor the user's account and the Azure resource for any further suspicious activity to ensure that the remediation steps were effective.