Authentication Systems
Overview
Monitoring logs from authentication systems such as Azure AD, Microsoft AD, and Google Workspace Identity Services to detect account compromise, privilege escalation, and anomalous login activities.
Sample products
- Microsoft Active Directory (AD)
- Okta Identity Cloud
- Google Workspace Identity Services
- Entra ID/Azure Active Directory (AAD)
Use Case Categories
| Category | Description |
|---|---|
| Account Compromise Detection | Monitors authentication system logs for signs of compromised user accounts. Alerts triggered for unusual activities, unexpected access patterns, or deviations from normal user behavior, indicating a potential compromise. |
| Privilege Escalation Detection | Focuses on identifying attempts to escalate user privileges within authentication systems. Monitors logs for activities indicative of unauthorized privilege changes, unauthorized role assignments, or unusual elevation attempts. |
| Anomalous and Failed Login Monitoring | Analyzes authentication system logs for anomalous and failed login attempts. Alerts triggered for patterns suggesting brute force attacks, suspicious login times, or repeated failed login attempts. |
| Brute Force Attack Detection | Monitors authentication system logs for patterns indicative of brute force attacks. Alerts triggered for multiple failed login attempts within a short time frame, suggesting systematic attempts to guess passwords. |
| Abnormal User Behavior | Analyzes authentication system logs for abnormal user behavior patterns. Alerts triggered for deviations from normal usage, unexpected access patterns, or unusual activities indicating potential insider threats. |
Core Use Cases
| Alert Name | Description |
|---|---|
| Unusual Access Pattern Monitoring | Monitors authentication system logs for unusual access patterns indicating a potential account compromise. Alerts triggered for access from atypical locations or devices. |
| Rapid Increase in Privileges | Focuses on detecting rapid increases in user privileges within the authentication system. Alerts triggered for sudden role or permission changes, indicative of potential privilege escalation. |
| Credential Sharing Detection | Analyzes authentication logs to identify instances of credential sharing. Alerts triggered for simultaneous logins from different devices using the same credentials. |
| Unusual User Activity Patterns | Monitors user activity within the authentication system for unusual patterns. Alerts triggered for deviations from normal usage, indicating potential account compromise or misuse. |
| Unauthorized Role Assignment | Monitors authentication logs for unauthorized changes in user roles. Alerts triggered for suspicious role assignments or modifications, indicative of potential privilege escalation. |
| Elevated Permission Usage Analysis | Analyzes authentication logs for elevated permission usage. Alerts triggered for unusual activities or patterns indicative of unauthorized elevation of privileges. |
| Privilege Escalation Attempt Monitoring | Monitors logs for indications of attempts to escalate user privileges. Alerts triggered for suspicious activities suggesting unauthorized elevation of privileges. |
| Geographic Anomaly Detection | Monitors authentication system logs for geographic anomalies in login attempts. Alerts triggered for logins from unexpected or atypical locations, indicating potential unauthorized access. |
| Abnormal Login Times Analysis | Analyzes authentication logs for abnormal login times. Alerts triggered for logins during non-business hours or patterns indicating unusual login times, suggesting potential malicious activity. |
| Credential Stuffing Detection | Focuses on detecting patterns indicative of credential stuffing attacks within authentication logs. Alerts triggered for multiple failed login attempts, suggesting systematic credential guessing. |
| Multiple Failed Login Attempts | Monitors authentication system logs for multiple failed login attempts within a short time frame, indicative of brute force attacks. Alerts triggered for systematic password guessing. |
| Account Lockout Analysis | Analyzes authentication logs for patterns leading to account lockouts. Alerts triggered for repeated failed login attempts resulting in account lockouts, indicating potential malicious activity. |
| IP Blocklisting for Suspicious Activity | Focuses on blocklist IP addresses associated with suspicious or malicious login activity. Alerts triggered for patterns indicative of brute force attacks, leading to the temporary blacklisting of suspicious IPs. |
| User Account Lockdown | Monitors authentication logs for signs of account compromise. Alerts triggered for unusual login patterns, leading to the temporary lockdown of user accounts to prevent further unauthorized access. |
| Insider Threat Identification | Focuses on identifying potential insider threats within the authentication system logs. Alerts triggered for anomalous user behavior, unauthorized access, or suspicious activities indicative of insider threats. |
| Unauthorized Resource Access | Analyzes authentication logs for unauthorized access to critical resources. Alerts triggered for unexpected access patterns or attempts to access restricted or sensitive data within the system. |
| Unexpected MFA Settings Changes | Analyzes authentication system logs for unexpected changes in MFA settings. Alerts triggered for alterations to MFA configurations that could indicate potential compromise or bypass attempts. |
| User Role Violation Detection | Monitors authentication logs for violations of user roles. Alerts triggered for instances where users exceed or violate their assigned roles, indicating potential misuse or unauthorized activities. |
MITRE ATT&CK
T1547, T1552, T1083, T1548, T1550, T1088, T1078, T1547, T1056, T1053, T1102, T1087, T1110, T1059, T1558, T1111, T1562