Follow

Automatic Account Linking with AD Context

Compromising an account is a high value target for an attacker, whether on premise or in the cloud. Account Credentials offer an access point to progress deeper. Cognito Detect for O365 will allow you to track attack progression across the cloud and network, in 1 simple, unified, view of an account in Cognito.

It’s clear from reviewing some recent attacks that attacker do not see the cloud network as even the slightest barrier in the progression of their attack. Attackers have been recently tracked beginning an attack by brute forcing weak credentials and then leveraged email rules to pivot to the endpoint. Once on the endpoint the credentials can be leveraged to move laterally and progress an attack. If your network & cloud detection portfolios are unlinked, then the scale of the attack can be completely missed.  

Automatic Account Linking will link accounts seen on your network with accounts we see in your O365 environment. This enables you to quickly see activity across your entire organisation and track account activity from an initial O365 breach to any hosts that this account has been seen on.

 

Set Up

To enable Automatic Account Linking, you will need to enable our Active Directory Integration.

  • Go to Settings
  • Click External Connectors,
  • Click Edit beside "Active Directory and Lockdown"
  • Ensure you have entered the correct Active Directory Details
  • Enable the toggle beside "Automatically Map Accounts" at the bottom of the edit dialog
  • Click Save

Your accounts will now be linked automatically, it can take up to a few hours for accounts to be linked initially

 

How Linked Accounts Work

Linked accounts will show up 1 single pane of glass, with any linked cloud & network accounts showing up on the same page.

When viewing all accounts, you can see the linked accounts that are a part of this linked account in the expando.

mceclip1.png

When you view an account, you will be able to see in the top left corner the information for each account.

Detections from the both sources will be listed chronologically, and all detections will be taken into account for account scoring.

mceclip0.png

In the details tab, there is more information on when the sub accounts were last seen and what their source is:

mceclip2.png

Searching for Accounts by Account Type

If you would like to search for  accounts of a specific type, you can perform this search in advanced mode with the following query:

account.account_type:"O365"

This will show the linked accounts which have an o365 sub account in this account.

Searching for O365 detections only in the Detections List

If you want to find O365 detections exclusively, you can filter by sensor in the detections list page, and if you select your O365 sensor then only O365 and Azure AD detections will be listed.mceclip3.png

 

Disabling Account Linking

If you want to disable Automatic Account Linking, you can easily do this from the AD integration section.

  • Go to Settings
  • Click External Connectors,
  • Click Edit beside "Active Directory and Lockdown"
  • Disable the toggle beside "Automatically Map Accounts" at the bottom of the edit dialog
  • Click Save

Currently linked accounts will not be unlinked, but no new accounts will be linked. If you would like to unlink any linked accounts, please contact support.

Was this article helpful?
0 out of 0 found this helpful

Download PDF

Have more questions? Submit a request

0 Comments

Article is closed for comments.