Skip to content
Get A Demo
Free SIEM
    July 9, 2024

    Security Detection Update - 2024-7-9

    Welcome to our weekly security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.

    Introduction and Overview

    This week we have spent digging into Azure/365/Entra attacks and additional tactics around kerberoasting.


    New Detections

    This update introduces:

    Azure: Service Principal Creation By Service Principal

    When a Service Principal in Entra has been observed creating another Service Principal. Some Azure services and products can perform this as part of a managed service. Threat actors have been observed using this technique to gain persistence growing their foothold in Azure environments.

    Microsoft 365: Impossible Travel AAD Login - 500 to 999 miles

    Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. In this detection, successful logins that are 500 to 999 miles apart within a 2 hour window are deemed suspicious.

    • Status: Default Disabled
    • Log type requirement: MS365

    Microsoft 365: Impossible Travel AAD Login - 1,000 to 2,000 miles

    Impossible travel refers to logins or access attempts that originate from different geographic locations within an unrealistically short timeframe, indicating potential malicious activity. In this detection, successful logins that are 1,000 to 2,000 miles apart within a 4 hour window are deemed suspicious.

    • Status: Default Disabled
    • Log type requirement: MS365

    Suspicious SPN Enumeration

    SPNs are used by Kerberos authentication to identify the account running a particular service. Administrators may legitimately perform SPN enumeration to audit and manage SPNs in their environment. Threat actors have been observed using SPN enumeration to gather information about services and user accounts in an Active Directory environment.


    Amanda Berlin

    Amanda Berlin is Lead Incident Detection Engineer at Blumira, bringing nearly two decades of experience to her position. At Blumira she leads a team of incident detection engineers who are responsible for creating new detections based on threat intelligence and research for the Blumira platform. An accomplished...

    More from the blog

    View All Posts