Aad logs5/20/2023 ![]() There was no additional one about the role having been removed. ![]() Also notice there was only one ( success-ful) alert entry from PIM at 10:36pm for a member having been added outside of its service. The security team looked at the “Global Administrator” role and found that user “mike” did not possess that access (it was removed at 1:54pm). The auditor may subsequently panic late that evening that a “Global Administrator” had been assigned and escalate the situation. The Core Directory service correctly notified an auditor that the “Global Administrator” role had its membership modified at 1:36pm ( Assign – Role granted) and 1:54pm ( Unassign – Role removed), but PIM followed up with an alert of its own 9 HOURS later at 10:36pm ( Alert). Role Change Audit Log – PIM Alert (Splunk) The below screenshot is an example of such alert occurring nearly 9 HOURS after role changes were made: However, I had recently come across a severely DELAYED alert by the PIM service that could cause unnecessary panic for auditors and the security team. The PIM service may later also trigger an alert if said operation was done outside of its domain - generally within about 2 minutes. The only difference is that some people don’t need that access all the time.” Note on Audit Logĭuring the course of writing this article, I found that when a Role membership was modified, the Core Directory service would log that action with the correct timestamp. There’s no difference in the access given to someone with a permanent versus an eligible role assignment. “ Eligible” vs “ Permanent” Roles: ” If a user has been made eligible for a role, that means they can activate the role when they need to perform privileged tasks. There are two immediate ways to audit role changes that do not require coding skills: The Azure portal only provides 1 month’s Role Management history, and being able to query a SIEM, such as Splunk, would allow a security professional to go back further during the course of his or her investigation and auditing. I had recently been asked to figure out a way to audit Azure Active Directory (AAD, AzAD) Role changes - such as the Global Administrator - using a SIEM (security information and event management). Why would a delayed alert be a problem?.
0 Comments
Leave a Reply. |