Skip to content

Microsoft Sentinel Near Real Time detections for breaking glass account

Last updated on 5. December 2022

This post depends on our previous posts. You should read them first to work with the same environment:

  1. What is Microsoft Sentinel?
  2. First steps setting up Microsoft Sentinel
  3. Azure Active Directory Connector for Microsoft Sentinel

To understand what we configure, we have to declare what near-real time (NRT) rules are:

Typical scheduled rules have a built-in delay for 5 minutes. NRT rules are more responsive with 2 minutes. You are able to analyze and respond more quickly to specific threats. At default there are already predefined analytic rules. For example for malicious inbox rules:

Overview NRT analytic rules in Microsoft Sentinel

Limitations for NRT rules are as follows:

CriteriaScheduled query ruleNRT
Built-in delay5 minutes2 minutes
Filtered byTime generatedIngestion time
Scheduling5 minutes maximum, set by the userFixed 1 minute
SyntaxFull KQLPartial KQL support (no join, union, cross workspace)
QuantityUp to 512 rules20 rules
TablesQuery number of tablesSingle table
Comparison of scheduled and NRT rules#

Now let us begin – Creating detections of breaking glass account:

  1. Create a break glass account and assign the global administrator role permanently. Make sure this account has every exception available. This account must not be closed out via Conditional Access or other policies.
Creating break glass account

2. Create watchlist and add UserPrincipalName of break glass account

Creating watchlist for break glass

3. We create an analytic rule to create an incident as soon as someone logs in with our break glass account. Navigate to Analytics, click on Create and NRT query rule (Preview).

Create NRT query rule

4. Assign a name, tactic and severity to our rule and click on Next: Set rule logic

Define NRT analytic rule

5. Use the following query to check for SigninLogs from Azure AD, if there was any sign in with break glass account

let BreakGlassAccount = (_GetWatchlist("BreakGlassList") | project UPN);
| where UserPrincipalName in (BreakGlassAccount)
Query for NRT analytic rule

6. Set Alert enrichment with Entity mapping and Alert details to get quick overview which account was used.

7. Create the NRT analytic rule and test it out. You can use it with your break glass account or temporary put in some test account. Below you can check out the results of the analytic rule:

That’s it! We did it! If you need to monitor more accounts, you can simply update the watchlist with accounts and don’t need to update the analytic rule.

If you enjoyed this post, please leave a comment and share this post.

Published inAADAzureM365SecuritySentinel

Be First to Comment

Leave a Reply

Your email address will not be published. Required fields are marked *