Break Glass access critical Incident alerting
under review
E
Elliott Campbell
Have a Critical incident generated in the event the Emergency Break Glass/ Allocated User is accessed. per Microsoft recommendations
Rich Mozeleski
under review
I understand the usefulness of this, but I can see an issue with generating a critical incident and disabling your break glass identity when you are legitimately trying to access that identity.
To me, this type of alert is a symptom of an Unwanted Access compromise, which we address through that capability. I'd rather devote efforts to shoring up Unwanted Access detections instead of specifically addressing the end result of an Unwanted Access event. Thoughts?
A
Adam Ruffolo
Rich Mozeleski I don't think disabling the account is the correct step. I think it requires a Critical Incident Alert that can be emailed and require a call from the SOC to say "your BG account has been logged into, is this expected"?
We should never have to log into it unless it's a break glass emergency, so it should be extremely rare, but because it's the Breakglass Account, it should be monitored and alerted the moment it has been accessed.
Those are my thoughts, other's may state things more clearly.
R
Ryan Sipes
Rich Mozeleski Maybe add an option in Huntress to 'authorize' the login to the privileged account? Like a JIT admin access scenario? At the very least, I think creating an escalation/making a call for the event to provide visibility on it as Adam mentioned is a good middle ground.
M
Martin Twerski
Rich Mozeleski I think you are misunderstanding this request. We'd like an alert anytime this account is accessed. Not disabled, just a critical alert anytime it's accessed, not just when unwanted access detection think it should be alerted on.
We also need to be able to specify what the break glass account is (the upn).
O
Oliver Le Prevost
Adam Ruffolo My thoughts exactly. We need to be aware if it is accessed, but no action to be taken by Huntress to auto-remediate/block. An optional nice feature would be to mark the account in Huntress in "Test" mode too, so we can avoid alerts during periods where we are evidencing break glass scenarios etc.
Rich Mozeleski
Martin Twerski: Understood. This makes sense. What are your thoughts about an optional feature to allow JIT access as Ryan Sipes suggested above?
C
Christian Davis
Rich Mozeleski Just to add to what the others are saying, Microsoft's best practice is to configure alerts for whenever the break glass account is accessed: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access#create-an-alert-rule
JIT would be nice as well, but that's a far bigger ask than a simple alert
E
Elliott Campbell
Rich Mozeleski, in our organisation, all clients hold a copy of the break glass account details, securely stored in a tamper-proof box or sealed envelope as part of their incident response plans and/or for situations where our business is incapacitated. Access to these details is strictly limited to senior engineers and executives from both businesses.
Because of this structure, a Just-in-Time (JIT) access model wouldn’t be suitable for our scenario, as it would still rely on us authorising access—even in the event of incapacitation.
Our protocol ensures that 2–3 senior management team members (those who receive Critical Incident Alerts) respond within 5–15 minutes of the account being accessed. Their immediate priority is to contact the client and senior techs to determine the reason for access and any necessary actions. If the Break Glass account is used, it’s an all-hands-on-deck situation.
L
Luke Van Der Weiden
+1 for this, would mean one less security-related thing we have to manage outside of Huntress.
C
Cameron Granger
Merged in a post:
Emergency Access Account Usage Notifications
S
Steven Hodson
We have a number of clients who have Microsoft 365/Entra ID Break Glass user accounts also known as Emergency Access Accounts. These have been configured as per Microsoft Guidance here - https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access. Instead of having to use Azure Log Analytics, we would like to mark these accounts as highly privileged and ensure that any auditable activity, but in particular any login using these accounts creates an immediate alert/incident/ticket for investigation.
C
Chip Seelig
Shocked this isn't a thing already
C
Christian Moore
I want this feature so bad
C
Christian Davis
This would be a fantastic feature to have. BTW, the link in the post is broken. Here's the Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/role-based-access-control/security-emergency-access
Y
Yidel Steinfeld
S
Steven Hodson
This would be an awesome and really useful feature
B
Brent Shore
This would be a great feature to have.
Stephen Moody
This would be a killer feature for us too.
Load More
→