Alex Weinert & the Microsoft Identity team worked hard to build you an Azure Active Directory monitor workbook to help you hunt for Solorigate Identity activity in your environment – Check it out!
In the interest of helping customers concerned about the Solorigate attacks we are publishing a new workbook in the Azure AD admin portal to assist investigations into the Identity Indicators of Compromise related to the attacks. The information in this workbook is available in Azure AD audit and sign in logs, but the workbook helps you collect and visualize the information in one view.
The workbook is split into 5 sections, each aimed at providing information associated with the attack patterns we have identified:
- Modified application and service principal credentials/authentication methods
- Modified federation settings
- Azure AD STS Refresh token modifications by service principals and applications other than DirectorySync
- New permissions granted to service principals
- Directory role and group membership updates for service principals
…
Read more & access the Workbook here:
-
BLOG: Azure AD workbook to help you assess Solorigate risk
https://aka.ms/SolorigateAzureADWorkbook
kurtsh
Kurt Shintaku's Blog 