Tools to audit user/system accounts

Posted by sysadmin_dot_py@reddit | sysadmin | View on Reddit | 7 comments

I have a compliance requirement being imposed to audit user and system accounts bi-annually to identify accounts that exist in systems that shouldn't exist. While not a current requirement, I can see in the future a requirement to audit what those accounts can access.

We utilize Entra, but the built-in Entra auditing tools are not sufficient for systems other than Entra, even with SSO enabled for nearly every application in our environment. The requirement includes auditing accounts in third-party applications.

For example, SaaS Application A utilizes SSO with Entra ID. However, SaaS Application A also allows non-federated accounts to be created (for example, break-glass accounts, service accounts, API keys). So it is possible that an account could be created within the SaaS application itself outside of Entra ID. A certain employee role/group also gets federated access. I need to pull a list of users in SaaS Application A (can be done via export or script), and have a tool compare that export against Entra ID users with this employee group, and see which ones are the outliers. Then I need to have the application owner review access and approve the access of any discrepancies.

Example 2: I need to validate that the Enterprise Applications / service principals in Entra ID have the correct Graph API permissions are are still all valid.

Ideally, such a tool could show the result of each account / service principal during the previous review, to make it easier to quickly review these accounts.

Finally, I need to be able to go back to these reviews and see what the status of an account for any given

index IN (services, employees) sourcetype IN (accesses, grants, auth_log, linux_audit, windows_audit, macos_audit, web_audit, badge_audit, garage_audit) | where allowed_services != "authorized" | table userid username email first_name last_name lastlogin supervisor manager employee_status employee_active allowed_services

[-]

pickled-pilot@reddit

Bi-annually so twice a year. What’s your budget and how long does this take you to do manually?

sysadmin_dot_py@reddit (OP)

Management would probably be okay with around $5k/year. We do not do this currently.

How many systems are in scope of this audit? Do it manually to get an idea of how much effort this will take to do manually. That will inform management more about how much they should be willing to spend on it.

$5k is way too low. The budget on audit automation of this level starts at $30k per year (in the US. Prices may vary by your exact location)

Fair points, appreciate the input. In the US. No way $30k gets approved for this, given where the requirement is coming from. Thanks!

swimmityswim@reddit

Audit and compliance are big money, the work to satisfy the requirements is also mind-numbingly boring and annoying so it doesn’t come cheap

I've noticed this.

Helpjuice@reddit

Setup a SIEM that centrally collects all relevant logs, run queries on actual usage and against the authorized users list for the specific allocations, apis, tenants, etc.

Use queries, reporting, and dashboards to align the two to generate alerts and SOAR to auto generate collections, reviews, and action for human review

A pseudo code query that could be used

This in theory would give you a list of all unauthorized users, their last activities, where those activities occurred, their last login, their supervisor/manager, if they are contractors/employees and still active.