Office 365 Security Auditing & Alerts – AD Suspicious Sign-in Activity

This blog is a continuation of our series describing CoreView functionality that empowers administrators to perform security monitoring, auditing and forensic analysis for Office 365 events, plus the security watchdog features to provide automated alerts for known security risks. This topic covers the specific functionality for Active Directory (AD) auditing and reporting to monitor suspicious sign-in activity.

The Azure AD security reports available in CoreView provide the proactive, bloodhound type assistance to sniff-out suspicious activities for user account log-ins. Many security breaches come from botnet driven brute-force attacks on user accounts by trying different password combinations until they gain access over time. This was the method used by the “KnockKnock” attack reported last summer which targeted Office 365 system accounts.

Monitoring suspicious sign-in activities on user accounts has quickly become a critical security task for IT administrators responsible for managing Office 365. The customizable reports from CoreView enable IT admins to view why these activities are considered suspicious, who performed the sign-in, when it happened, and from what geographic location (which IP address). This is extremely helpful for distributed organizations with multiple sites and geographic locations. The anomalous AD activity reports combine suspicious sign-in details from the following categories:

  • Sign-ins from unknown sources
  • Sign-ins after multiple failures
  • Sign-ins from multiple geographies in the same days/weeks
  • Sign-ins from IP addresses with suspicious activity
  • Sign-ins from possibly infected devices
  • Irregular sign-in activity

(Example of security auditing report for anomalous sign-in activity)

Anomalous activity

**Note: CoreView also enables the configuration of automated alerts for a specific suspicious sign-in activity. Using this model an IT admin will be notified immediately when any of these security issues occur.

Listed below are more detailed descriptions of the different suspicious sign-in categories and examples of the reports shown in CoreView.

Sign-ins after multiple failures

This report will showcase the number of consecutive failed sign-in attempts made prior to a successful sign-in, along with a timestamp associated with the first successful sign-in. These reports are completely customizable. By clicking on the ‘Columns’ drop-down menu, you can add or remove information from the report. The columns can also be filtered to include the exact subset of information you wish to monitor. And, as with any report in CoreView, it can be easily exported, saved, printed, or scheduled for distribution to run at a specific time along with the applied changes and filters.

(Example of suspicious sign-in caused from multiple login failures)

Sign in multiple failure

Sign-ins from IP addresses with suspicious activity

This report shows sign-ins from IP addresses where suspicious activity has been detected. Suspicious activity in this case is defined to be an unusually high ratio of failed sign-ins to successful sign-ins, which may indicate that an IP address is being used for malicious purposes.

Sign-ins from multiple geographies

This report includes successful sign-ins for the same account where two sign-ins appeared to originate from different geographical regions during a specific timeframe. The report takes into consideration the time difference between the sign-ins to provide more details to the administrator so they can determine whether it was possible for the user to have traveled between those regions.

There may be different causes for these occurrences:
  • User is sharing their password with other colleagues (shared, business mailbox)
  • User has a remote desktop to launch a web browser for sign-in
  • A hacker has signed in from a different country
  • User has a VPN or proxy
  • User is signed in from multiple devices at the same time, such as a desktop and a mobile phone, and the IP address of the mobile phone is unusual.

This report will showcase the successful sign-in events, along with the time between the sign-ins, the regions where the sign-ins appeared to originate from, and the estimated travel time between those regions.

(Example of suspicious sign-in activity from multiple geographic locations)

sign in multiple geographies

Sign-ins from Infected Devices

This report attempts to identify user devices that may have become infected and are now part of a botnet. We correlate IP addresses of user sign-ins against IP addresses that we know to be in contact with botnet servers.

**Note: This report flags IP addresses, not user devices. We recommend that you contact the user and scan all the user’s devices to be certain. It is also possible that a user’s personal device is infected, or that someone using the same IP address as the user has an infected device. For more information about how to address malware infections, see the Malware Protection Center.

Irregular Sign-ins

Irregular sign-ins are identified on the basis of an “impossible travel” condition combined with an anomalous sign-in location and device. This may indicate that a hacker has successfully signed in using this account.

(Example of suspicious sign-in activity report showing irregular logins)
irregular sign

There you have it. If you are looking for a security bloodhound to track down suspicious sign-in activity, then CoreView is the solution you need. If you are interested in finding out more about our CoreView solution and how it can help with security compliance audits, perform security watchdog alerts, and cut your administration time in half, please visit our overview page online, or sign-up for a free trial at http://www.coreview.com/free-trial.