Skip to main content

Tuning False Positive Alerts Triggered by Just-in-Time (JIT) Accounts in Security Monitoring Tools

  • Updated

Tuning False Positive Alerts Triggered by Just-in-Time (JIT) Accounts in Security Monitoring Tools

In security monitoring, Privileged Access Management (PAM) tools like CyberQP that create Just-in-Time (JIT) accounts can trigger alerts commonly used to detect potential misuse of administrative privileges. While these alerts are critical for detecting unauthorized activity, JIT accounts are also a crucial defense in preventing unauthorized access. While JIT accounts can result in false positives, you can tune your monitoring to account for the use of JIT accounts. Below are some common rules that trigger false positive alerts and strategies to adjust them for JIT accounts.

1. Common Alerts Triggered by JIT Accounts

  • User Added to Domain Admin or Global Admin Groups: This rule detects any user being added to the highly sensitive Domain Admin or Global Admin group. This rule detects common privileged escalation techniques used by attackers
  • User Added to Other Privileged Groups: Alerts when a user is added to groups with elevated privileges (e.g., Enterprise Admin, Schema Admin).
  • Local Admin Account Created: This triggers when a new local admin account is created on a system, potentially indicating a lateral movement or privilege escalation risk.

2. Best Practices for Tuning Alerts

To reduce false positives while maintaining security, tuning alerts for JIT accounts involves focusing on the specific characteristics of those accounts and the rules in place. Depending on your security tool stack, the recommendations below can be configured in your security monitoring tooling, or you can work with your Managed Detection and Response vendor to implement the recommended rule tuning.

2.1. Naming Convention Filtering

CyberQP sets JIT accounts with a standard naming convention as the default. All JIT accounts using the default naming convention use the pattern FirstInitialLastName_JIT, i.e., John Smith would default to a JIT account name of JSmith_JIT.  Please note that to account for internal processes, technicians can change the name of the JIT accounts they are creating. To avoid issues with tuning, technicians should be trained to leverage a standard naming convention. Using this information, security tools can be configured to differentiate between standard privileged accounts and JIT accounts. To achieve this:

  • Set Conditions to Ignore the JIT Naming Pattern: Update alert rules to exclude accounts that contain “_JIT” in the name. This prevents alerts from being triggered on every JIT account creation or group membership change, while still keeping these actions logged for auditing purposes.
    • Example: If a rule triggers an alert for “User added to Domain Admin,” modify the condition to exclude users whose names contain “_JIT.”

2.2. Leverage Custom Alerts for JIT Activity

Instead of disabling alerts for JIT accounts entirely, create custom alerts specific to JIT activities:

  • Monitor for Anomalous Behavior: Focus on unexpected behavior rather than expected JIT operations. For instance, if a JIT account attempts to log in from an unusual location, triggers multiple failed login attempts, or performs actions outside the scope of its intended usage, these should still generate alerts.
  • Track Usage Over Time: Monitor for patterns of overuse of JIT accounts. If a specific JIT account is used excessively within a short timeframe, this could indicate potential abuse of the access.

3. Review and Test Regularly

Tuning alert rules is an ongoing process. It is essential to:

  • Regularly Review JIT Access Patterns: Ensure that any new patterns of JIT usage are accounted for in your alerting system.
  • Test Alerts with Simulations: Perform regular simulations of JIT account creation and privilege escalation to ensure your tuned alerts are still working as expected without generating excessive false positives.

By tuning alerts for JIT accounts based on naming conventions, correlation with approval workflows, and tailored monitoring for abnormal behaviors, you can significantly reduce false positives without compromising your security posture.

 

Related articles

Comments

0 comments

Article is closed for comments.