Daily Blog #775: An Azure Log Entry to Look Out For When a Threat Actor is In

As threat actors continue to evolve and adapt, security professionals must stay vigilant in their monitoring of cloud-based systems like Azure. One trend that has been observed when a threat actor gains access to an Azure or Microsoft 365 account is their immediate attempt to expand their reach into additional services, clouds, and systems without needing any additional credentials.

The culprit behind this behavior is often the "My Apps" feature within Azure, which allows users to grant access to third-party applications with a single click. To review My Apps activity in Azure logs, follow these steps: first, navigate to Entra ID (formerly Azure Active Directory B2C) and then click on Signin Logs. Here, you can view the user's accesses to My Apps.

This log entry provides a crucial window into the threat actor's activities and allows security teams to begin assessing the total impact of the compromise. By monitoring My Apps access in Azure logs, incident responders can identify potential points of entry and expand their review to include connected applications, clouds, and systems.

While reviewing these connections may seem like a daunting task, staying on top of My Apps activity in Azure logs is essential for effective threat detection and incident response. By doing so, security teams can mitigate the spread of malicious activities and minimize potential damage to an organization's data and infrastructure.