Posted by: kurtsh | December 22, 2020

RELEASE: Assess your Solorigate risk with Azure Monitor workbook

Alex Weinert & the Microsoft Identity team worked hard to build you an Azure Active Directory monitor workbook to help you hunt for Solorigate Identity activity in your environment – Check it out!

imageIn the interest of helping customers concerned about the Solorigate attacks we are publishing a new workbook in the Azure AD admin portal to assist investigations into the Identity Indicators of Compromise related to the attacks. The information in this workbook is available in Azure AD audit and sign in logs, but the workbook helps you collect and visualize the information in one view.

The workbook is split into 5 sections, each aimed at providing information associated with the attack patterns we have identified:

  1. Modified application and service principal credentials/authentication methods
  2. Modified federation settings
  3. Azure AD STS Refresh token modifications by service principals and applications other than DirectorySync
  4. New permissions granted to service principals
  5. Directory role and group membership updates for service principals

Read more & access the Workbook here:


%d bloggers like this: