Configure Simple Response for Microsoft Azure Active Directory: Disable User

Configure a Microsoft Azure Active Directory: Disable User simple response to disable the Azure Active Directory (AD) account of a user that is the victim of an incident automatically. This response can also be configured to force users to re-authenticate, change their password, or set up new multi-factor authentication (MFA) methods. In addition, this response works with Office 365 users.

Typical use cases for this response include:

  • Stopping the use of leaked credentials
  • Minimizing damage from a compromised user
  • Implementing an incident response plan involving "disable and then investigate." For example, after Alert Logic detects use of known malware such as ransomware, you can disable the user automatically, investigate, and then re-enable the user after remediation.

Complete the following steps to successfully configure this simple response:

  1. (Optional) Create an exclusion list
  2. Choose the response
  3. Connect to Microsoft Azure AD
  4. (Optional) Apply exclusions
  5. Choose when to respond

(Optional) Create an exclusion list

If you want your automation to exclude specific users, the users must be defined in one or more exclusion lists. For example, you can create a list of users in your security team to prevent them from being locked out. During the simple response creation process, a step is available to apply exclusion lists to your automation. If a list you want to apply does not exist already, use the instructions in Exclusions to create it now.

Choose the response

In the Alert Logic console, click the navigation menu icon (), click Respond, click Automated Response, and then click Simple Responses. Click the add icon (), and then, under Microsoft Azure Active Directory: Disable User, click START.

Connect to Microsoft Azure AD

This response requires a Microsoft Azure connection that grants Alert Logic access to manage users in Azure AD. In the Connect step, name your response and connect to Azure as follows.

To connect to Azure AD:

  1. In Response Name, enter a descriptive name for your simple response (example: "Disable Office 365 Attack Victim").
  2. If you already have a connection to Microsoft Azure, leave Use an existing connection selected, and then select the connection in Connection. You can use the search bar to help you find the connection.
  3. If you do not have a Microsoft Azure connection, click Create a connection, and then complete the instructions in Create a Microsoft Azure connection to set it up.
  4. Select what actions to perform as part of the response. There are four different actions which can be configured to run on the potentially compromised user. These four actions may be selected alone or in combination to customize your response.
    • Disable User: This action is enabled by default and is the standard complete disablement of the user.
    • Reset Session: This action will revoke the user's current session, forcing them to re-authenticate.
    • Reset Password: This action will require the user to change their password the next time they log in.
    • Disable MFA: This action will remove all multi-factor authentication (MFA) methods set up by the potentially compromised user.
  5. In Expiration in Seconds, enter the number of seconds before you want Alert Logic to reenable the user, or keep the default value of 0 if you do not want the response to expire.
  6. Click TEST to perform a dry run that checks the configuration without performing the response. After a few moments, results appear in a message.
    • If the result is Succeeded, continue to the next step in this procedure.
    • If the result is Failed, use the listed errors to assist with troubleshooting. If necessary, you can click Edit connection above Microsoft Azure Connection, and then use the information in Create a Microsoft Azure connection to check and fix the connection. For further assistance with troubleshooting, see Troubleshooting tips.
  7. If you want the simple response to be active, leave Response is active turned on. Turn it off if you want to save the configuration but not activate the response yet.
  8. Click NEXT to continue to the (Optional) Apply exclusions step.

Create a Microsoft Azure connection

A Microsoft Azure connection securely stores reusable authentication credential information for integrations with Microsoft Azure. To create the connection, Alert Logic requires the following information from the Azure AD console:

  • Directory (Tenant) ID—Identifies your account in Azure
  • Application (Client) ID—Identifies the specific app registration that you create in Azure for Alert Logic
  • Client Secret Value—Allows Alert Logic to access the app registration

Alert Logic provides the following steps to help you get the information. For further questions about the steps performed in the Azure console, or if your interface looks different, contact Microsoft Azure support.

  1. Create an app registration in Azure
  2. Grant permission to manage users in Azure
  3. Create a client secret in Azure
  4. Create the connection in the Alert Logic console

Create an app registration in Azure

Create an app registration in Azure AD to hold the permissions and credentials granted to Alert Logic.

To create an app registration:

  1. Log into the Azure AD console.
  2. On the left panel of the Azure AD console, under Manage, click App registrations.
  3. Click + New registration.
  4. Enter a name for your connection to Alert Logic automated response. Leave the other items as is.
  5. Click Register.
  6. Copy the Application (client) ID to a text editor for later.
  7. Copy the Directory (tenant) ID to a text editor for later.

Grant permission to manage users in Azure

The next step in the Azure Active Directory console is to grant Alert Logic permissions to manage users in Azure.

To grant permission to manage Azure users:

  1. On the left panel of the app registration for your new app, under Manage, click API permissions.
  2. Click + Add a permission.
  3. Select Microsoft Graph.
  4. On the Request API permissions page, in response to the question about the type of permissions your application requires, click Application permissions.
  5. In the list of permissions, scroll down and click UserAuthenticationMethod to see permissions in this category, and then select UserAuthenticationMethod.ReadWrite.All.
  6. Then scroll down and click the User category, and then select User.ReadWrite.All.
  7. Click Add permissions.
  8. From the page listing active permissions, click Grant admin consent to next to Add a permission.
  9. Click Yes to confirm.

    The status of the User.ReadWrite.All and UserAuthenticationMethod.ReadWrite.All permissions become "Granted", and a green check mark icon appears next to the granted permissions.

If you would like to configure the reset password action as part of this response, the application service principal will also need to be assigned the User Administrator role. Otherwise, this step can be skipped.

To assign a role to the application service principal:

  1. On the left panel of the Azure AD console, under Manage, click Roles and administrators.
  2. Scroll down the list of roles until User Administrator appears in the list and click on the text.
  3. Click + Add Assignments.
  4. In the assignment search box, enter the name you assigned to your app registration earlier in step 4 of Create an app registration in Azure. Your application should appear in the list.
  5. Select the check box next to your app registration's name and then click Add.

Your connection should now appear in the list of assignments for the User Administrator role.

Create a client secret in Azure

The last step in the Azure AD console is to create a client secret.

To create a client secret:

  1. On the left panel of the app registration for your new app, under Manage, click Certificates & secrets.
  2. Select Client secrets if it is not active.
  3. Click + New client secret.
  4. Enter a description (example: Alert Logic Automated Response).
  5. Select an expiration, and note the expiration date for future renewal.
  6. Click Add.
  7. Copy the Value to a text editor for later.

Create the connection in the Alert Logic console

Next, go back to the Create a Simple Response page to enter information in the Connect step that grants Alert Logic access to manage users in Azure AD.

To create the Microsoft Azure connection in the Alert Logic console:

  1. In Connection Name, type a descriptive name for the connectionfor example, "Microsoft Azure Connection".
  2. In Directory (Tenant) ID, paste the Directory (tenant) ID that you noted in Create an app registration in Azure.
  3. In Application (Client) ID, paste the Application (client) ID that you noted in Create an app registration in Azure.
  4. In Client Secret Value, paste the Value for the client secret that you noted in Create a client secret in Azure.
  5. Click SAVE.

(Optional) Apply exclusions

If you want to exclude users from the response, in Exclusion List(s), select one or more lists that define the exclusions. You can create exclusion lists from the Exclusions page if necessary, and then come back. For more information, see Exclusions.

After you choose one or more lists, or if you want to skip this step, click NEXT.

Choose when to respond

In the last step, choose whether to request approval before Alert Logic runs the response each time. Alert Logic sends the request by email and the Alert Logic Mobile App. You can request approval from multiple users, such as members of your security team. The first user to answer determines whether the response is approved or rejected. Subsequent users who respond receive a message stating that the inquiry was responded to already.

In this step you also choose the incident analytics that you want to trigger the response. You can respond to incidents generated from all analytics that Alert Logic recommends as triggers, or you can choose specific analytics.

To choose when to respond:

  1. If you do not want to require approval, click Do not require approval.
  2. If you want to require approval, click Send approval request, and then select one or more approval recipients in User(s). You can use the search bar to help you find names and email addresses.
    To improve traceability of approvals, Alert Logic recommends that you choose individuals not a distribution list.
  3. If you want to disable users detected in incidents generated from all analytics that Alert Logic recommends as triggers for this response, leave Respond to all recommended analytics selected. An example of a recommended analytic for this response is "Office 365 Security & Compliance Alert: Ransomware Activity for {victim_username}."
  4. If you prefer to choose from a list of all analytics available for this response type, click Choose analytics, and then select one or more analytics to use as triggers for the response.
    To learn more about a specific analytic, you can find it in the Threat Intelligence Center. For more information, see Threat Intelligence Center.

Troubleshooting tips

Here are common errors that can occur when you test the configuration and suggested troubleshooting steps.

401 Client Error: Unauthorized

  • Verify that the app registration still exists by reviewing the app registrations in the Azure AD console and looking for the Application (client) ID that is used in the connection. If the application was removed, repeat the process Create an app registration in Azure to generate a new app registration and Application (client) ID.

  • Verify that the credentials created earlier exist and have not expired by reviewing the active credentials in the Certificates & Secrets pane of your app registration. If the credential has expired or been removed, repeat the process Create a client secret in Azure.

Technical reference

Simple Response Name

Microsoft Azure Active Directory: Disable User

Permissions

User.ReadWrite.All permission in Azure AD

UserAuthenticationMethod.ReadWrite.All permission in Azure AD

Roles

User Administrator Role in Azure AD