AZT201.1 - User Account

By obtaining valid user credentials, an adversary may login to AzureAD via command line or through the Azure Portal.

Resource

Azure Active Directory

Actions

N/A

Examples

Az PowerShell (Secret)Azure CLI

Connect-AzAccount

az login -u <username> -p <password>

Detections

Logs

Data Source	Application	Resource	Log Provider
Azure Active Directory	Azure Portal	Windows Azure Service Management API	SignInLogs
Azure Active Directory	Microsoft Azure PowerShell	Windows Azure Service Management API	SignInLogs

Detection Screenshots

Portal Sign-inPowerShell Sign-in

Queries

Platform	Query
Log Analytics	SignInLogs | where UserId == 'IDGOESHERE'

Azure Monitor Alert

Additional Resources

• https://docs.microsoft.com/en-us/azure/active-directory/reports-monitoring/concept-sign-ins