CYBERDOM

Another day of Cybersecurity

Entra ID Incident Response: Advanced PowerShell Techniques

Microsoft Entra ID’s CFIR (Cloud Forensic and Incident Response) provides a solid blueprint for detecting, investigating, and responding to identity threats. However, mastering it requires the right tools and approach. That’s where PowerShell steps in.

In this post, we’ll explore how PowerShell empowers security teams to harness the full potential of Entra ID CFIR. From automating incident response workflows to identifying subtle signs of compromise, PowerShell scripts can transform complex logs and alerts into actionable intelligence.

Whether you’re a seasoned security pro or just starting your identity defense journey, this hands-on guide will help you bridge the gap between theory and practice, making your Entra ID CFIR implementation smarter, faster, and more effective.

Entra ID Incident Response Matrix

This matrix is designed to provide a structured and practical framework for incident responders working specifically with Microsoft Entra ID. It aligns common identity-related attack scenarios with relevant MITRE ATT&CK techniques, helping security teams understand attacker behaviors, identify log sources, and execute targeted investigations.

The matrix serves multiple purposes:

  • Mapping attacks to industry standards: Using MITRE ATT&CK ensures consistent terminology and a shared understanding across teams and tools.

  • Clarifying investigation focus: For each incident scenario, it highlights the key Entra ID log types and data sources essential for uncovering evidence.

  • Guiding detection and investigation: It suggests what signs, anomalies, or patterns to look for within those logs.

  • Supporting automation: By listing PowerShell modules relevant to each scenario, it directs responders toward effective command sets for collecting and analyzing data programmatically.

PowerShell IR

When it comes to Entra ID investigation, the PowerShell tooling of choice is the Microsoft Entra PowerShell module(Microsoft.Entra). This module is specifically designed for interacting with Entra ID’s identity and access management data, providing the most comprehensive and up-to-date cmdlets for incident response tasks.

Key reasons why the Microsoft Entra PowerShell module is preferred:

  • It provides direct access to critical logs, including sign-in logs, audit logs, and role assignments, all of which are essential for forensic investigations.

  • It’s built on the Microsoft Graph API, ensuring full compatibility with the latest Entra ID features and security data.

  • The module supports granular querying and filtering, enabling targeted investigation of suspicious activities such as risky sign-ins, OAuth consent grants, token theft, and privilege escalations.

  • It integrates well with automation and scripting workflows for incident response and threat hunting.

  • The module replaces deprecated ones, such as AzureAD and MSOnline, aligning with Microsoft’s current and future roadmap.

Additionally, for broader Microsoft 365 audit data, especially unified audit logs across services, the Exchange Online PowerShell module’s Search-UnifiedAuditLog cmdlet remains valuable and complements Entra ID-specific queries.

For modern and flexible Graph API access, the Microsoft Graph PowerShell SDK (Microsoft.Graph module) can also be used alongside or within Entra workflows, especially for advanced scenarios.

The Detect-MultipleFailedSignins.ps1 script detects multiple failed sign-in attempts, followed by a successful sign-in, using Microsoft Graph sign-in logs.

This script analyzes Microsoft Entra ID (Azure AD) sign-in logs via Microsoft Graph to identify users who have three or more consecutive failed sign-in attempts immediately followed by a successful sign-in. Such patterns may indicate account compromise or brute-force attempts.

The Detect-NewCountrySignins.ps1 script analyzes sign-in logs from the last 30 days and reports users who have signed in from new countries.

This script detects Microsoft Entra ID sign-in logs to identify when users sign in from new countries they haven’t previously accessed. It analyzes successful sign-in attempts over the last 30 days and alerts when a user’s latest sign-in originates from a country not previously seen in their sign-in history.

The Get-SuspiciousOAuthConsents.ps1 script analyzes OAuth application consents in Microsoft Entra ID.

This script analyzes OAuth application consent grants in Microsoft Entra ID to identify potentially suspicious or unauthorized application consents. It helps security teams detect possible OAuth-based attacks where users might have granted access to malicious applications.

The Get-SignInTimeline.ps1 script generates a comprehensive timeline of Entra ID (Azure AD) sign-in activities.

This script retrieves and analyzes Microsoft Entra ID sign-in logs to create a detailed timeline of authentication activities. It provides a comprehensive view of sign-in patterns across your organization, including essential details such as location, device, risk levels, and authentication methods.

The Detect-LegacyAuthSignIns.ps1 script identifies successful sign-ins using legacy authentication protocols in Microsoft Entra ID.

This script monitors and detects successful sign-ins to Microsoft Entra ID that use legacy authentication protocols. Legacy authentication poses security risks because it bypasses modern security features, such as multi-factor authentication and conditional access policies.

A collection of general-purpose PowerShell commands and functions designed to facilitate incident response

More IR blog posts

Tags:

Discover more from CYBERDOM

Subscribe now to keep reading and get access to the full archive.

Continue reading