|
Default Parameters for AzrNonIntrctTest
This test monitors Azure non-interactive sign-in logs for failed sign-ins and reports their count and details. With the help of these details, administrators can effectively troubleshoot the failures. The test also promptly captures and reports ‘risky sign-ins’, so that dubious sign-in attempts can be investigated and prevented. Additionally, the test reveals whether any sign-ins were made using unsecure legacy authentication protocols. Since such authentication protocols are a security threat, administrators may want to disable them. The test also helps administrators closely scrutinize the sign-ins to isolate abnormal patterns, such as the following:
Are there an unusually high number of sign-ins coming from specific IP addresses/locations/users/client applications? Are any applications/resources making a suspicious number of sign-in attempts? Are sign-in attempts from specific users/IP addresses/locations failing often? Are specific applications/service principals/resources seeing more sign-in failures than others?
This way, the test sheds light on sign-in attempts that are 'suspect', so their authenticity can be verified, and any potential security risks pre-empted.
This page depicts the default parameters that need to be configured for the AzrNonIntrctTest.
The eG agent communicates with the target Microsoft Azure Subscrption using Java API calls. To collect the required metrics, the eG agent requires an Access token in the form of an Application ID and the client secret value.Specify the Application ID of the created Application in the CLIENT ID TEXTBOX To know how to determine the Application ID Click here. Specify the client secret value in the CLIENT PASSWORD text box. To obtain the client secret value Click here.
In some environments, all communication with the Azure cloud be routed through a proxy server. In such environments, you should make sure that the eG agent connects to the cloud via the proxy server and collects metrics. To enable metrics collection via a proxy, specify the IP address of the proxy server and the port at which the server listens against the PROXY HOST and PROXY PORT parameters. By default, these parameters are set to none , indicating that the eG agent is not configured to communicate via a proxy, by default.
If the proxy server requires authentication, then, specify a valid proxy user name and password in the PROXY USERNAME and PROXY PASSWORD parameters, respectively. Then, confirm the password by retyping it in the Confirm Password text box.
Typically, Non Interactive Sign-in Workspace Name are sent to a Log Analytics Workspace. By default, the Non Interactive Sign-in Workspace Name parameter is set to All. This indicates that the test reads sign-in data from all Log Analytics Workspaces configured for the target tenant, by default. However, if you want the test to use only specific Log Analytics Workspaces for metrics collection, then provide the names of these workspaces here as a comma-separated list. To determine the names of the workspaces, Click here. To create a new diagnostic setting, where a Log Analytics Workspace is configured as the destination for the Sign-in logs, Click here
By default, SUCCESSFUL SIGNIN DD flag is set to No. This means that, by default, this test will not report detailed diagnostics for the ‘Success’ metrics (eg., Successful sign-ins, Success IP addresses etc.). This is because, in a typical Azure cloud organization, there may be numerous successful sign-in attempts. A well-tuned, well-sized eG database is required for storing these detailed metrics. Without it,over a period of time, the detailed statistics of ‘Successful’ sign-in attempts may end up choking the eG database. To avoid it, this parameter is set to No by default. Set this flag to Yes only if your eG database has sufficient space to store detailed diagnostics for the 'Success' metrics.
By default, NO OF ATTEMPTS flag is set to 5. This means that, by default, the test will count a sign-in attempt from a specific user / IP address / location / protocol or for a specific application / service principal / resource as a success/failure, only if 5 or more consecutive sign-in attempts from/for that entity succeed/fail (as the case may be). For instance, if 5 or more sign-in attempts from a specific IP address fail, then the test will count that as one failure - i.e., the Failure IP addresses measure will report the value 1. Similarly, if 5 or more sign-in attempts from a specific IP address succeed, then the test will count that as a single sign-in success - i.e., the Success IP addresses measure will report the value 1. Needless to say, by default, the values of these measures will also be incremented only with every 5 or more consecutive sign-in successes/failures. This is done so that administrators are alerted only to those sign-in attempts that are ‘suspect’ - for example, repeated sign-in failures from the same IP address. You can change the value of this measure based on what is normal sign-in activity and what is not in your environment.
This parameter applies to the following measures reported by the test:
Successful IP addresses Successful locations Successful applications Successful service principals Success resources Successful users Successful authentication protocols Failure IP addresses Failure locations Failure applications Failure service principals Failure resources Failure users Failure authentication protocols
When changing default configurations of tests, the values with “$” indicate variables that will be replaced by the eG system according to the specific server being managed - for instance, $hostName is the host/nickname of the target host, $port is the port number of the server being monitored. E.g., for a server xyz:80, $hostName will be changed automatically by the eG manager to “xyz*” and $port will be changed to “80” when configuring a test.
|