Create User Account in Azure for SIEM Investigation
The final step entails the establishment of a new account, followed by a sign-in using an anonymous IP address, along with the execution of atypical activities designed to activate the log. First, I had to turn off security defaults in Azure AD to avoid any potential interruption.
Microsoft Security Defaults are automatically activated in new Azure Active Directory instances, delivering an essential foundational layer of protection for all users and accounts within the organization.
Microsoft Security Defaults includes multi-factor authentication (MFA) for all administrators, effectively blocking legacy authentication methods like iMAP or SMTP. This proactive measure significantly mitigates the risk of potential attacks, such as password spraying and brute force attacks. Additionally, it mandates password complexity measures to thwart potential attackers from making educated guesses or successfully exploiting vulnerable passwords.
Turning off Security Default in Azure AD
On Azure Portal navigate to the search bar, search: " azure active directory" and click on it.
Scroll down and click on properties on the "Properties".
Click on "Manage security defaults".
- Change Security default: "Disabled".
- Reason: Select "Other", testing.
- Click on "Save".
- Then "Disable".
Creating New User for Testing
- Scroll up, navigate to "User" under Manage. For creating a new user.
- Click on "New User"
- Select "Create user".
- Identity:
- User name: Chris
- Name: Chris Green
- First name: Chris
- Last name: Green
- Password: Select "Let me create the password".
- Initial password: write your own.
- Job info:
- Job title: "Spy".
- Department: "NRG".
- Click on "Create".
- After the user is created. Click on his name.
- Click on "Assign roles".
- Click on "Add assignments".
- Search for "security reader" and check the box. Then "Add".
- On Azure Portal navigate to the search bar, search "resource groups" and click on it.
- Click on "SEC-Monitoring".
- Click on "Access control (IAM)".
- Click on "Add". Then, "Add role assignment".
- Click on "Privileged administrator roles".
- Select "Contributor". Then click "Next".
- Click on "Select members". Then, click on "Chris" and click on "Select".
- Click on "Review + create". Then Create.
- Successfully made Chris a contributor.
Login to Chris
- Open up another browser and use the credential for Chris to login to Azure Portal.
- First time sign in will need to change password. I will change it to a common password "7ujMko0admin".
- Successfully login to Chris.
Create User Account in Azure for SIEM Investigation
The final step entails the establishment of a new account, followed by a sign-in using an anonymous IP address, along with the execution of atypical activities designed to activate the log. First, I had to turn off security defaults in Azure AD to avoid any potential interruption.
Microsoft Security Defaults are automatically activated in new Azure Active Directory instances, delivering an essential foundational layer of protection for all users and accounts within the organization.
Microsoft Security Defaults includes multi-factor authentication (MFA) for all administrators, effectively blocking legacy authentication methods like iMAP or SMTP. This proactive measure significantly mitigates the risk of potential attacks, such as password spraying and brute force attacks. Additionally, it mandates password complexity measures to thwart potential attackers from making educated guesses or successfully exploiting vulnerable passwords.
Turning off Security Default in Azure AD
On Azure Portal navigate to the search bar, search: " azure active directory" and click on it.
Scroll down and click on properties on the "Properties".
Click on "Manage security defaults".
- Change Security default: "Disabled". - Reason: Select "Other", testing. - Click on "Save". - Then "Disable".
Creating New User for Testing
- Scroll up, navigate to "User" under Manage. For creating a new user.- Click on "New User"
- Select "Create user". - Identity: - User name: Chris - Name: Chris Green - First name: Chris - Last name: Green
- Password: Select "Let me create the password". - Initial password: write your own. - Job info: - Job title: "Spy". - Department: "NRG". - Click on "Create".
- After the user is created. Click on his name.
- Click on "Assign roles".
- Click on "Add assignments".
- Search for "security reader" and check the box. Then "Add".
- On Azure Portal navigate to the search bar, search "resource groups" and click on it.
- Click on "SEC-Monitoring". - Click on "Access control (IAM)".
- Click on "Add". Then, "Add role assignment".
- Click on "Privileged administrator roles".
- Select "Contributor". Then click "Next".
- Click on "Select members". Then, click on "Chris" and click on "Select".
- Click on "Review + create". Then Create. - Successfully made Chris a contributor.
Login to Chris
- Open up another browser and use the credential for Chris to login to Azure Portal. - First time sign in will need to change password. I will change it to a common password "7ujMko0admin". - Successfully login to Chris.