Top SolarWinds risk assessment resources for Microsoft 365 and Azure

One silver lining that has come out of the SolarWinds (Solorigate) incident is the huge amount of new security blogs and content that Microsoft and other vendors have published. Even if your organization was not directly affected by the attack, you are probably having to answer questions about what you and your team are doing to protect your network from this sort of attack. These resources will prepare you to respond appropriately.

Microsoft Solorigate Resource Center

The Microsoft Solorigate Resource Center is an ever-expanding resource of information and investigation techniques. Take the time to review these links. If you are a Microsoft 365 or Azure Active Directory (AD) customer, review the Azure AD workbook to assess SolarWinds risk. You may need to first set up an Azure workspace and then Azure AD logs with Azure Monitor logs to access the workbook. Here’s how:

Sign into the Azure Portal and select “Azure Active Directory”, then “Diagnostic settings”, then “Add diagnostic setting”. You can also select “Export Settings” from the Audit Logs or Sign-ins page to get to the diagnostic settings configuration page. In the “Diagnostic settings” menu, select the “Send to Log Analytics Workspace” check box, and then select “Configure”. Then select the log analytics workspace you want to send the logs to or create a new workspace in the provided dialog box.

Send the audit logs to the log analytics workspace by selecting the “AuditLogs” check box, or you can send sign-in logs to the log analytics workspace by selecting the “SignInLogs” check box. To export the sign-in data, you must have an Azure AD P1 or P2 license. Now choose to send the information to a log analytics workspace. Select “Save” to save the setting. You may need to wait a short time for the SigninLogs to realize that your subscription has a P1 license attached.

Then go to sign into the Azure Portal and navigate to “Azure Active Directory”, then to “Monitoring” and then to “Workbooks”. Look for the sensitive operations report.

Susan Bradley

You may need to wait for data to be pulled into the workbook for analysis, but eventually you can review the following reports:

• Modified application and service principal credentials/authentication methods. This part of the report lists all new credentials added to apps and service principals, including the credential type, top actors, and the amount of credentials modifications they performed and a timeline for all credential changes.
• Modified federation settings. This includes changes performed to existing domain federation trusts and the addition of new domains and trusts.
• Azure AD STS refresh token modifications by service principals and applications other than DirectorySync. When reviewing the data in this section, the admin should check new token validation time period with high values and investigate whether this was a legitimate change or an attempt to gain persistence by the attacker.
• New permissions granted to service principals. This section includes a breakdown of the AppOnly permissions grants to existing service principals. Admins should investigate any instances of excessive high permissions being granted, including, but not limited to, Exchange Online, Microsoft Graph and Azure AD Graph.
• Directory role and group membership updates for service principals. This section includes an overview of all changes made to service principal memberships and should be reviewed for any additions to high privilege roles and groups.

CISA Sparrow.ps1

The US Cybersecurity and Infrastructure Security Agency (CISA) has released its free tool, Sparrow.ps1, for “detecting unusual and potentially malicious activity that threatens users and applications in an Azure/Microsoft O365 environment.” It helps to detect possible compromised accounts and applications in an Azure and Microsoft 365 environment. The tool “will check and install the required PowerShell modules on the analysis machine, check the unified audit log in Azure/M365 for certain indicators of compromise, list Azure AD domains, and check Azure service principals and their Microsoft Graph API permissions to identify potential malicious activity. The tool then outputs the data into multiple CSV files in a default directory.”

CISA also released a recap site listing emergency directives, alerts and guidance as well as third-party tools to identify weaknesses.

CrowdStrike Reporting Tool for Azure

The free CrowdStrike Reporting Tool (CRT) for Azure identifies and helps mitigate risks in Azure AD. CrowdStrike identified that attackers often attempt to go after a Microsoft 365 customer by going through the vendors that sell, provide, or manage Microsoft 365 subscriptions on behalf of clients. They stated that “CrowdStrike was contacted by the Microsoft Threat Intelligence Center on December 15, 2020. Specifically, they identified a reseller’s Microsoft Azure account used for managing CrowdStrike’s Microsoft Office licenses was observed making abnormal calls to Microsoft cloud APIs during a 17-hour period several months ago. There was an attempt to read email, which failed as confirmed by Microsoft.”

To start your investigation, review what third-party vendors have access to your Microsoft 365 subscription. Review with those partners as to what rights and privileges they have with your account.

Next, review CrowdStrike’s suggestions and use its tool to review additional configurations. At a minimum, you should have several log files enabled and captured in a log storage process. The following logs should be enabled:

• Unified Audit Log
• Azure Activity Logs
• Azure Services Logs
• Azure NSG Flow Logs
• Azure AD Logs:
  • Azure AD Audit Logs
  • Azure AD Sign-In Logs
  • Azure AD Managed Identity Sign-In Logs (Preview)
  • Azure AD Non-Interactive User Sign-In Logs (Preview)
  • Azure AD Service Principal Sign-In Logs (Preview)
  • Azure AD Provisioning Logs
  • Azure AD Risky Sign-In events

As a preventative measure, enable multi-factor authentication (MFA) and ensure that it is fully enforced for all users. Then review the log files for any new unknown MFA and restrict service accounts from MFA registrations and monitor MFA use. To ensure that third-party tools and applications aren’t used by attackers to bypass MFA, set the MFA access policy to “Do not allow users to create app passwords to sign into non-browser apps”.

Then review and enforce Conditional Access policies. Set up geofencing or trusted locations. Also review the trusted locations that you have set up are the locations that you intended to trust and that no attacker has added an exclusion in this area.

Next, enforce modern authentication and blocking of legacy authentication. Make sure that IMAP and POP are blocked and limited in use. Block “risky sign-ins” with medium or higher severity and monitor authentication requests from unknown identity providers. Monitor for credentials being added to service principals. Finally, enable self-service password reset (SSPR) requests to notify users when their passwords are changed.