Login Alerts / Location
Arctic Wolf alerts when received for an alert on login outside of the US / UAE are to be investigated for potential compromise. The following is the order in which to investigate the activity:
- Look at the International travel register to see if the current alert is possibly due to missing adding the user into the rules to not alert based on travel registration: Technology - International Travel - All Items. If user is in this report and alert is from location – stop and clear alert by contacting [email protected] and having travel rule created.
- Check Entra ID logins for reported user to see login activity and begin reaching out to user or users manager if they are not responding or have an out of office notification: Users - Microsoft Entra admin center. You can verify here the IP they are connecting from and have it checked to see if the IP is a VPN – common issue that occurs on mobile devices: https://www.ipqualityscore.com
- Look into Cloud App activity to see if access to files in OneDrive or SharePoint are occurring: Activity log - Microsoft Defender. If the activity log shows downloads from OneDrive or SharePoint and no response from user/manger – lock user account in AD and Revoke Sessions. Do not select “change password” at this point.
- Check ZDX on reported user to see if they are connected: ZIdentity – Connections VIA Zscaler will indicate the IP they are in and country and if matches alert, chances are the user is actually there.
Informational data: (The text below is just for informational purposes to explain setup)
International Travel and Access Policy
Policy Statement: To enhance our company's security and protect our data, we are implementing a new security policy using Microsoft Entra Conditional Access. This policy will deny access to Microsoft and other company applications from any country that is not on our approved list.
Scope: This policy applies to all domain users attempting to log in to company services, including but not limited to Teams, Outlook, and OneDrive, from unapproved geographic locations. This policy will not apply to guest users with SharePoint or Teams meeting links, as they are explicitly excluded.
Approved Locations:
- United States
- United Arab Emirates
International Travel Protocol:
Users traveling internationally must complete the [International Travel Form] at least 24 hours prior to travel. This form is a critical part of our process to ensure uninterrupted access to company resources while abroad.
Procedure for Granting Access:
- Upon receiving a completed [International Travel Form], the user will be temporarily added to a security group named Entra-International-Travel-Conditional-Access-Exception.
- This security group is an exception list that will grant access to company services for the specified travel dates.
- The date of expected return must be included in the form to ensure the user is removed from the exception group and their account is properly protected upon their return.
Link to SharePoint site tracking these travel requests: Technology - International Travel - All Items
Helpline and User Verification:
For users who are traveling and call the company helpline for assistance, IT support staff will verify the user's identity by confirming their manager's name. This is a mandatory step to prevent unauthorized access. If the user is out of an approved area and cannot access the [International Travel Form], IT staff will submit the form on their behalf after identity verification.
Group Management and Access:
- CEA’s (or those with equivalent access) will have the ability to add and remove members from the Entra-International-Travel-Conditional-Access-Exception security group.
- The ultimate responsibility for removing users from this group rests with Michael Tidwell.
- CEAs are authorized to add users to the group after verifying the user's identity and confirming the International Travel Form has been filled out with the required information.
Where to set users in Entra/Azure active directory to allow for login outside of approved locations:
Entra-International-Travel-Conditional-Access-Exception