SenseOn SOC Playbook: M365 Compromised Account
The following process is how managed providers of SenseOn should extend the investigation of incidents in end customer estates and contains best practice guidance for additional manual threat hunting and containment.
This playbook documents the steps an analyst should take when investigating a suspected compromised account using the M365 Response Actions feature, as part of the Entra ID integration, at SenseOn.
- M365 Unfamiliar sign-in properties
- M365 Atypical travel
- M365 Anonymous IP address
- M365 Password Spray
Process Flowchart
Identification
Other alerts
Use the following hunt lab query to identify any other unusual alerts associated with the suspect IP or compromised user:
SELECT
_time_observed,
title,
description,
severity,
user_logon_ip,
user_principal
FROM
cloud_ms_graph_alert
WHERE
has(user_logon_ip, '<ip_address>')
OR arrayStringConcat(user_principal, ',') LIKE '%<compromised_user>%'
Logon Behaviour
Using the telemetry ingested through Microsoft Graph API integration, identify any other unusual logons for the user or suspect IP address:
SELECT
_time_observed,
ip_address,
user_principal_name,
location_country_code,
location_city,
sign_in_error_code
FROM
cloud_ms_sign_in_log
WHERE
user_principal_name LIKE '%<compromised user>%'
OR ip_address = '<suspect IP>'
Suspicious Cloud Actions
Using telemetry ingested through the Microsoft Entra ID integration, identify any suspicious O365 actions performed by the compromised user or suspect IP address:
SELECT
_time_observed,
client_ip,
user_id,
workload,
operation,
raw
FROM
cloud_ms_o365_activity_log
WHERE
user_principal_name LIKE '%<compromised user>%'
OR ip_address = '<suspect IP>'
Suspicious Account Modification
Using telemetry ingested through the Microsoft Entra ID integration, identify any suspicious account modifications performed by the compromised user or suspect IP address:
SELECT
_time_observed,
initiator_user_ip,
initiator_user_principal_name,
initiator_app_name,
activity_name,
operation_type,
category,
target_resource_user_principal_names,
target_resource_modified_properties
FROM
cloud_ms_directory_audit_log
WHERE
initiator_user_principal_name LIKE '%<compromised user>%'
OR initiator_user_ip = '<suspect IP>'
OR arrayStringConcat(target_resource_user_principal_names,',') LIKE '%<compromised user>%'
Review the User’s Device
Use the following hunt lab query to identify the user’s device:
SELECT
DISTINCT user,
_hostname
FROM
endpoint_logged_in_user
WHERE
lower(user) LIKE lower('%<user>%')
SELECT
_time_observed, _hostname, username, command
FROM
endpoint_process
WHERE
lower(_hostname) LIKE lower(‘%<device>%’)
ORDER BY
_time_observed ASC
Containment
After confirming the account is compromised, an impact assessment should be performed before containment actions are taken.
Impact Assessment
- Assess the number of users impacted - If more than 2 users are impacted escalate internally.
- Assess the account severity of these users.
- Is customer escalation required? If any user is listed as a priority account, follow the standard escalation procedure to a senior analyst prior to customer notification.
Contain Account
- Disable the user account, through the SenseOn platform, after gaining approval.
- Each customer should have pre-agreed decision criteria to enable timely containment with the minimum of business impact.
- Revoke active M365 sessions using the SenseOn platform.
- Quarantine Endpoint: If endpoint compromise is suspected, isolate the device
Action for customer
- Block offending IP Addresses: If malicious/unauthorised IPs are identified, block them at the firewall, proxy, or cloud gateway.
Review
- Review all IOCs across environment to ensure no additional compromise has occurred during incident
- Review user lockout status to ensure account hasn’t been unlocked during incident by Service desk or other means
- Review active user sessions across device, new sessions seen after lockout may indicate gap that needs escalation
Eradication
Action for customer
- Enforce a new strong and unique password.
- Ensure MFA is enabled and properly configured.
- Require re-authentication on all devices.
- Disable any backdoor accounts or malicious OAuth applications.
- Remove any mailbox rules added by a threat actor
- Remove unauthorised admin accounts or service tokens.
Recovery
Joint action for customer and provider of SenseOn MDR
- SenseOn MDR provider to monitor for ongoing activity with created threat hunting queries, this ensures no gaps in the containment and eradication stages
- Create ‘health monitoring’ tasks for endpoint & user behaviour, this is a check to be performed on a frequent basis
- Verify user identity before re-enabling the account.
- Restore legitimate access for the user after securing the account.
- Conduct a thorough audit of permissions and ensure least privilege is applied.
- Agree with customer on successful recovery once no additional anomalous behaviour identified post eradication period