Azure Detections

Name Data Source Technique Type Analytic Story Date
Detect Distributed Password Spray Attempts Azure Active Directory Sign-in activity Password Spraying Brute Force Hunting Active Directory Password Spraying, Compromised User Account 2024-10-17
Azure Active Directory High Risk Sign-in Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Admin Consent Bypassed by Service Principal Azure Active Directory Add app role assignment to service principal Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Application Administrator Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Authentication Failed During MFA Challenge Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-10-31
Azure AD Block User Consent For Risky Apps Disabled Azure Active Directory Update authorization policy Impair Defenses TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Concurrent Sessions From Different Ips Azure Active Directory Browser Session Hijacking TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Device Code Authentication Azure Active Directory Steal Application Access Token Phishing Spearphishing Link TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD External Guest User Invited Azure Active Directory Invite external user Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure AD FullAccessAsApp Permission Assigned Azure Active Directory Update application Additional Email Delegate Permissions Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Global Administrator Role Assigned Azure Active Directory Add member to role Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD High Number Of Failed Authentications For User Azure Active Directory Brute Force Password Guessing TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD High Number Of Failed Authentications From Ip Azure Active Directory Brute Force Password Guessing Password Spraying TTP Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group 2024-09-30
Azure AD Multi-Factor Authentication Disabled Azure Active Directory Disable Strong Authentication Compromise Accounts Cloud Accounts Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multi-Source Failed Authentications Spike Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Hunting Azure Active Directory Account Takeover, NOBELIUM Group 2024-10-17
Azure AD Multiple AppIDs and UserAgents Authentication Spike Azure Active Directory Sign-in activity Valid Accounts Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Denied MFA Requests For User Azure Active Directory Sign-in activity Multi-Factor Authentication Request Generation TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Failed MFA Requests For User Azure Active Directory Sign-in activity Compromise Accounts Cloud Accounts Multi-Factor Authentication Request Generation Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Multiple Service Principals Created by SP Azure Active Directory Add service principal Cloud Account Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Service Principals Created by User Azure Active Directory Add service principal Cloud Account Anomaly Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Multiple Users Failing To Authenticate From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD New Custom Domain Added Azure Active Directory Add unverified domain Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New Federated Domain Added Azure Active Directory Set domain authentication Domain or Tenant Policy Modification Trust Modification TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered Azure Active Directory Update user Account Manipulation Device Registration TTP Azure Active Directory Persistence 2024-09-30
Azure AD New MFA Method Registered For User Azure Active Directory User registered security info Modify Authentication Process Multi-Factor Authentication TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD OAuth Application Consent Granted By User Azure Active Directory Consent to application Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD PIM Role Assigned Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD PIM Role Assignment Activated Azure Active Directory Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Authentication Administrator Role Assigned Azure Active Directory Add member to role Security Account Manager TTP Azure Active Directory Privilege Escalation 2024-09-30
Azure AD Privileged Graph API Permission Assigned Azure Active Directory Update application Security Account Manager TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Privileged Role Assigned to Service Principal Azure Active Directory Add member to role Account Manipulation Additional Cloud Roles TTP Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Authentication Azure Active Directory Sign-in activity Cloud Accounts TTP Azure Active Directory Account Takeover, NOBELIUM Group 2024-09-30
Azure AD Service Principal Created Azure Active Directory Add service principal Cloud Account TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Service Principal New Client Credentials Azure Active Directory Account Manipulation Additional Cloud Credentials TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Service Principal Owner Added Azure Active Directory Add owner to application Account Manipulation TTP Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group 2024-09-30
Azure AD Successful Authentication From Different Ips Azure Active Directory Brute Force Password Guessing Password Spraying TTP Azure Active Directory Account Takeover, Compromised User Account 2024-09-30
Azure AD Successful Single-Factor Authentication Azure Active Directory Compromise Accounts Cloud Accounts Valid Accounts Cloud Accounts TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD Tenant Wide Admin Consent Granted Azure Active Directory Consent to application Account Manipulation Additional Cloud Roles TTP Azure Active Directory Persistence, NOBELIUM Group 2024-09-30
Azure AD Unusual Number of Failed Authentications From Ip Azure Active Directory Compromise Accounts Cloud Accounts Brute Force Password Spraying Credential Stuffing Anomaly Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Blocked for Risky Application Azure Active Directory Consent to application Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Consent Denied for OAuth Application Azure Active Directory Sign-in activity Steal Application Access Token TTP Azure Active Directory Account Takeover 2024-09-30
Azure AD User Enabled And Password Reset Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure AD User ImmutableId Attribute Updated Azure Active Directory Update user Account Manipulation TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Account Created Azure Audit Create or Update an Azure Automation account Create Account Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure Automation Runbook Created Azure Audit Create or Update an Azure Automation Runbook Create Account Cloud Account TTP Azure Active Directory Persistence 2024-09-30
Azure Runbook Webhook Created Azure Audit Create or Update an Azure Automation webhook Valid Accounts Cloud Accounts TTP Azure Active Directory Persistence 2024-09-30