Heimdal Assistance and Support Help Center home page

Articles in this section

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.

User Anomaly Detection

Last updated

In this article, you will learn about the User Anomaly Detection M365 User Security component of the Threat-hunting & Action Center (TAC).

1. Description
2. How does User Anomaly Detection work?
3. User Anomaly Detection
4. M365 User Security settings

DESCRIPTION

M365 User Security is based on the essential mechanism of Login Anomaly Detection, which collects data on user logins in an Azure AD environment (only standalone add-on or business suite-licensed user accounts  like Microsoft Entra ID P1/P2, Microsoft Business Premium, Microsoft E3/E5 work). Using the Login Anomaly Detection service, a customer/reseller can monitor suspicious activity at the network level, as the product offers relevant telemetry for AAD-joined users in terms of multiple failed login attempts, users that are logged in from another country, or both: failed login attempts of a user that is trying to log in from another country.

HOW DOES USER ANOMALY DETECTION WORK?

User Anomaly Detection uses an Azure AD/Entra enterprise app that gets created during setup to collect the user login data (through the Microsoft Graph API), analyze it, and report it in the HEIMDAL Dashboard under Threat-hunting & Action Center (M365 tab). The M365 User Security checks the user login data and prompts for anomalies that are found in the environment. In case a user login attempt is noticed from a place that is not a known place of the user, M365 will flag this as an anomaly, and, depending on the configuration, the affected user can be logged out on detection. 

USER ANOMALY DETECTION

The User Anomaly Detection displays all the information collected from your organization through the Microsoft Graph and offers relevant telemetry for AAD-joined users in terms of multiple failed login attempts, users that are logged in from another country, or both HEIMDAL Agent's DarkLayer Guard engine. On the top, you see a statistic regarding the number of Detections, the number of Unresolved Detections, the number of Acknowledged Detections, and the number of Dismissed Detections. You can navigate between the 3 views (Login Anomaly Detection, User Location, and Forwarding Rules) to analyze the most relevant details gathered by the HEIMDAL services.

  • Login Anomaly Detection
    The details displayed in the Standard include: Username, Alert name, Alert description, Timestamp, and Status
    LAD_view_new_1.png
    The Filters functionality allows you to filter entries by status or alert type. The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

    IMPORTANT
    The primary location for a user is automatically set based on the first successful login detected by the system. This location cannot be manually changed. If a login from a different location is later detected and acknowledged by the administrator, it will be recorded as a secondary location. Once acknowledged, you can navigate to the same tab in the Dashboard to promote the secondary location as the new default, if needed. This helps tailor anomaly detection to reflect legitimate travel or relocation patterns.

  • User Location
    The details displayed in the Standard include: Username, Country, ISO2, Location Type, and Expiration Date
    LAD_view_new_2.png
    The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.
  • User browsers 
    The details displayed in the Standard include: Username, Browser, Popularity, and Successful logins
    Browser-newone-2.png
    When a grid entry is selected by ticking the checkbox next to a username, the “Select what action to take” drop-down becomes available, allowing IT administrators to perform the “Delete Browser” action.
    The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard mode corresponding to the view.

  • Forwarding Rules
    The details displayed in the Standard include: Username, Rule Name, Forward to, Forward as attachment to, Redirect to, Details, and Status
    LAD_view_new_3.png
    The HEIMDAL Dashboard user can get granular details about the rule by clicking the Expand button from the Details column, and this fine-grained data will be displayed in an overlaying modal window.
    Forwarding_Rule_view_1.pngThe Filters functionality allows you to filter entries by status or alert type. The Download CSV functionality allows you to generate and download a CSV report that includes all the information in Standard or Verbose mode corresponding to each view.

    IMPORTANT

    Only Mailbox Rule-type forwarding rules are supported. SMTP Forwarding configured in the Exchange Online Protection -> Mail Flow Rules is NOT supported. 
    Although the view displays detected mailbox rules, only the forwarding rules generate M365 notifications and contribute to the user risk score, as these are considered to potentially generate cybersecurity vulnerabilities. 

A. Action Center

The User Anomaly Detection Action Center (expanded by pressing the blue arrow at the bottom of the page) displays details about the end users’ risk score and notifications (count + quick access to the M365 Action Center), in a very similar way to the TAC bottom widget.
uad.PNG
 M365 tab splits between Aggregated Notifications, Notifications, and User Compliance.

  • Aggregated Notifications
    The grid provides the following details: Notification name, Details, Source, Severity, Hits, and Resolution. The Search field allows you to search among the multiple notifications. The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts), and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu. 
    m365_aggregated.PNG
  • Notifications
    This view displays a list of threats detected by the engines powering TAC at the hostname level. The grid provides the following details: User, Notification Name, Details, Source, Severity, Categories, Timestamp, and Resolution. The Search field allows you to search among the multiple notifications. 
    The entries are multi-selectable, as long as the alerts are similar (so that the mitigation actions apply to all the selected alerts), and as soon as one or multiple checkboxes are ticked, the user can act on the alert by applying one of the recommended actions from the dropdown menu. 
    m365_notifications.PNG
  • User compliance
    This view displays a list of compliance conditions that M365 fulfills or does not. The grid displays the following details: User, Multi-factor authentication, Strong password, Password expiration, 90 days inactive, and Last login. User-compliance-11.png
    Selecting one of the notifications, the HEIMDAL Dashboard admin can choose one of the following actions:
    • Logout user: the user will be disconnected from all Microsoft web sessions where they are logged in.
    • Reset password: the user will be disconnected from all Microsoft web sessions where they logged in, and required to change the current password.
    • Disable user account: the user account will be disabled, and the user can no longer log in.
    • Enable user account: the user account will be enabled, and the user will be allowed to log in. This action is available only on a disabled account (after the Disable user account action was taken).
      The grid offers various data visualization options: search based on user, filter based on the non-compliance criteria and last login timeframe, sort, and pagination.

IMPORTANT

Email Security notifications are not available in the M365 Action Center, but are taken into consideration for the M365 User Security risk score calculation. The Force User Logout action button is enabled only if the customer tenant ID is synchronized, and consent is granted for the HEIMDAL LAD application.

B. User Anomaly Detection specifics

The User Anomaly Detection details/specifics view (clicking on an end-user/email address from the left-hand side vertical menu) is based on 6 components: Email Security, Email Fraud Prevention, Forwarding Rules, Ransomware Encryption Protection for Cloud, Login Anomaly Detection, and M365. In the User Anomaly Detection specifics, you get dedicated tabs for each type of detection registered by the product, and you can perform the same actions as from the corresponding product pages.
This view displays the username, last login info of the selected user, the actions you can take on the user, and the data corresponding to each service

  • Email Security
    The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines. You can filter by From, Header From, Type, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.

    esec.PNG

  • Email Fraud Prevention
    The Inbound view and Outbound view display all the emails that are being filtered by the Email Security engines. You can filter by From, Header From, Status, Spam Classification, Minimum Spam Score, Maximum Spam Score, and EFP Rule Category.

    efp.PNG

  • Forwarding Rules
    The FW-R (Forwarding Rules) section provides an overview of all email forwarding configurations detected. It displays details such as the rule name, the user associated with the rule, the type of forwarding applied, the destination address, and the timestamp of when the rule was detected or last updated. The search field allows you to filter results by rule name.
    Forwarding_Rule_view_2.png

  • REP

    The REP (Ransomware Encryption Protection for Cloud grid provides the following details about the REP for Cloud detections made at the user level: email address, AD Group, number of affected files, user's session revoked, and the Timestamp. The search field allows you to search by AD Groups. 
    rep.PNG

  • LAD

    The LAD (Login Anomaly Detection) grid provides info at the end-user level about the alert name (unusual login or failed login), its description (user logged in from the specific country or user had 5 failed login attempts within 60 minutes), and the timestamp (when the alert was generated).

    lad_view.png

    You can use the search field to search for an event view, Alert description, download the data in a CSV file, and filter the data using the Filters button. Suppose one or multiple unusual login notifications are selected. In that case, you can take the Acknowledge action, which means that, for the next 30 days, this type of notification will not be displayed anymore.

  • M365
    The M365 grid provides info at the end-user level about the overall risk score as well as relevant end-user Info. End-user info data is populated from the Azure Active Directory when synchronized:

    • User Score - displays a circular progress bar with the user risk score and severity level.
    • User Info - displays Azure AD information about the user (User Principal Name, Display Name, Last IP, and Country).

    M365_2.png

    The Risk Chart container displays a visual representation of the user risk score derived from the three modules (ESEC, EFP, FW-R, LAD, REP for Cloud). When clicking on either of them, in the spider web chart, the right-hand side will populate the risk score for that particular module and a preview of relevant info, with the option to navigate towards the respective tab by clicking on the Investigate View button.
    M365_3.png

M365 USER SECURITY settings

User Anomaly Detection requires M365 User Security to be configured. This is done in the Network Settings -> M365 User Security tab. Once you enable M365 User Security, you can set up the Azure/Entra LAD enterprise app by pressing the Grant consent link, which will direct you to the Microsoft 365 login page to grant permissions.
setup_lad1.PNG

IMPORTANT

Granting consent to the Azure/Entra LAD enterprise app can be done ONLY if an Azure/Entra tenant ID is specified and synchronized in the Guide -> Customer settings -> Login setup -> Azure login section. If you don't have the Azure/Entra LAD enterprise app configured and the Azure/Entra tenant ID synchronized, the HEIMDAL Dashboard will display a toast message: A tenant ID needs to be configured to be able to grant consent.
M365_new_view1.pngEnable Multi-factor authentication check - scans the Microsoft 365 account settings to verify if MFA is enabled. If disabled, the account is flagged with a red exclamation mark in the User at Risk tab.
Enable password strength - checks the account’s password policy to ensure it requires complex passwords (e.g., a mix of uppercase, lowercase, numbers, and special characters). If not enabled, the account is flagged with a red exclamation mark in the User at Risk tab.
Enable password expiration - reviews the account policy to confirm that passwords expire after a set number of days. If disabled, the account is flagged with a red exclamation mark in the User at Risk tab.
Logout user on login anomaly detection - if an unusual login is detected, the user that generated it will be disconnected from all Microsoft web sessions where the user is logged in.
Countries excluded from Login Anomaly Detection - displays a grid with the list of countries that are excluded from the detection of login anomalies, with the following options. You can add a country to the dropdown menu or delete a country from the list.
Block user login from these countries - displays a grid with the list of countries from which user logins are blocked. You can add a country to the block list using the dropdown menu or remove an existing country from the list as needed.
Picture48.png
Besides the Synced/ Not synced statuses, there is also a Warning status, corresponding to the scenario in which a location is present in the EntraID Conditional Access Policy, hence showcased in the grid, but it was not added through the Heimdal Dashboard.
Picture49.png
When a country is added (selected from the drop-down list) for the first time, updating/ saving the Network Settings will automatically create a new location in Azure, under Conditional Access > Named locations, named Heimdal | M365 Geoblocking countries list.
Picture50.pngOn the end-user side, if the country they are trying to log in from is found on the blocked countries’ list, the outcome of the sign-in attempt will be a pop-up window stating why the attempt cannot be completed.
Picture51.png

Please note that Microsoft Entra Conditional Access Policies (CAP) and Security Defaults cannot be enabled simultaneously on the same tenant. As per Microsoft’s design, enabling Conditional Access Policies automatically requires Security Defaults to be disabled. This is particularly relevant for the User Geo-Blocking functionality, as HEIMDAL uses Conditional Access Policies to enforce country-based login restrictions. For additional information from Microsoft, please refer to: https://learn.microsoft.com/en-us/entra/fundamentals/security-defaults

Haven't Tried Heimdal Yet?

Start Free Trial 30-day Free Trial. Offer valid only for companies.