Last updated on 5. December 2022
This post depends on our previous posts. You should read them first to work with the same environment:
- What is Microsoft Sentinel?
- First steps setting up Microsoft Sentinel
- Azure Active Directory Connector for Microsoft Sentinel
To understand what we configure, we have to declare what near-real time (NRT) rules are:
Typical scheduled rules have a built-in delay for 5 minutes. NRT rules are more responsive with 2 minutes. You are able to analyze and respond more quickly to specific threats. At default there are already predefined analytic rules. For example for malicious inbox rules:
Limitations for NRT rules are as follows:
| Criteria | Scheduled query rule | NRT |
| Built-in delay | 5 minutes | 2 minutes |
| Filtered by | Time generated | Ingestion time |
| Scheduling | 5 minutes maximum, set by the user | Fixed 1 minute |
| Syntax | Full KQL | Partial KQL support (no join, union, cross workspace) |
| Quantity | Up to 512 rules | 20 rules |
| Tables | Query number of tables | Single table |
Now let us begin – Creating detections of breaking glass account:
- Create a break glass account and assign the global administrator role permanently. Make sure this account has every exception available. This account must not be closed out via Conditional Access or other policies.
2. Create watchlist and add UserPrincipalName of break glass account
3. We create an analytic rule to create an incident as soon as someone logs in with our break glass account. Navigate to Analytics, click on Create and NRT query rule (Preview).
4. Assign a name, tactic and severity to our rule and click on Next: Set rule logic
5. Use the following query to check for SigninLogs from Azure AD, if there was any sign in with break glass account
let BreakGlassAccount = (_GetWatchlist("BreakGlassList") | project UPN);
SigninLogs
| where UserPrincipalName in (BreakGlassAccount)
6. Set Alert enrichment with Entity mapping and Alert details to get quick overview which account was used.
7. Create the NRT analytic rule and test it out. You can use it with your break glass account or temporary put in some test account. Below you can check out the results of the analytic rule:
That’s it! We did it! If you need to monitor more accounts, you can simply update the watchlist with accounts and don’t need to update the analytic rule.
If you enjoyed this post, please leave a comment and share this post.
Be First to Comment