Source - https://blogs.technet.microsoft.com/yuridiogenes/2018/03/24/exploring-the-identity-access-dashboard-in-azure-security-center/
In Azure Security Center you can use the Identity & Access dashboard to explore more details about your identity posture. In this dashboard you have a snapshot of your identity related activities as shown in the example below:
ust by looking at this dashboard you can draw some conclusions, for example, all failed logons were due an invalid username or password. However, by looking at the accounts under Failed logons section, I can see that none of these accounts exist in my environment (off course, you need knowledge of the environment to conclude that). This can be an indication that there was attempt to brute force the authentication by trying different username and passwords. But what if this was a large organization, and you just don't know all accounts? The follow up question may be: is it possible to know if it was just the username that was wrong? Yes, there is! Follow the steps below to find out:
1. In the Identity & Access dashboard, click the Failed Logon Reasons chart.
2. Log analytics search will open with the result for the following query:
SecurityEvent | where AccountType == 'User' and EventID == 4625 and (FailureReason has '2313')
Read more at source - https://blogs.technet.microsoft.com/yuridiogenes/2018/03/24/exploring-the-identity-access-dashboard-in-azure-security-center/
Posted in:
0 comments:
Post a Comment