Azure Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	T1110.003	Hunting	Compromised User Account, Active Directory Password Spraying	2026-05-13
Microsoft Intune Device Health Scripts	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	T1484.002	TTP	Hellcat Ransomware, Azure Active Directory Persistence, Storm-0501 Ransomware, Scattered Lapsus$ Hunters	2026-05-13
Azure AD AzureHound UserAgent Detected	Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs	T1087.004 T1526	TTP	Compromised User Account, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD External Guest User Invited	Azure Active Directory Invite external user	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune Mobile Apps	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	T1003.002	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	T1078.004	TTP	NOBELIUM Group, Azure Active Directory Account Takeover	2026-05-13
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	T1110.001 T1110.003	TTP	NOBELIUM Group, Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	T1185	TTP	Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters	2026-05-13
Azure AD PIM Role Assigned	Azure Active Directory	T1098.003	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	T1098.003	TTP	NOBELIUM Group, Azure Active Directory Persistence	2026-05-13
Azure AD Device Code Authentication	Azure Active Directory	T1528 T1566.002	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	T1136.003	Anomaly	NOBELIUM Group, Azure Active Directory Persistence	2026-05-13
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal Privilege Escalation	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation	2026-05-13
Microsoft Intune Bulk Wipe	Azure Monitor Activity	T1561.001	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal Created	Azure Active Directory Add service principal	T1136.003	TTP	NOBELIUM Group, Azure Active Directory Persistence	2026-05-13
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	T1685	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	T1098	TTP	NOBELIUM Group, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	T1078.004	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune Manual Device Management	Azure Monitor Activity	T1021.007 T1072 T1529	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD PIM Role Assignment Activated	Azure Active Directory	T1098.003	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	T1078	Anomaly	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	T1136.003	Anomaly	NOBELIUM Group, Azure Active Directory Persistence	2026-05-13
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	T1484.002	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	T1098.002 T1098.003	TTP	NOBELIUM Group, Azure Active Directory Persistence	2026-05-13
Azure AD Service Principal Enumeration	Azure Active Directory MicrosoftGraphActivityLogs	T1087.004 T1526	TTP	Compromised User Account, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	T1556.006 T1586.003	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Successful Single-Factor Authentication	Azure Active Directory	T1078.004 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal New Client Credentials	Azure Active Directory	T1098.001	TTP	NOBELIUM Group, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	NOBELIUM Group, Azure Active Directory Persistence, Storm-0501 Ransomware, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	T1003.002	TTP	NOBELIUM Group, Azure Active Directory Persistence	2026-05-13
Azure AD New MFA Method Registered	Azure Active Directory Update user	T1098.005	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters	2026-05-13
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	T1556.006	TTP	Azure Active Directory Account Takeover, Compromised User Account, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	T1098.003	TTP	NOBELIUM Group, Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	T1110.003 T1110.004 T1586.003	Hunting	NOBELIUM Group, Azure Active Directory Account Takeover	2026-05-13
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	T1098	TTP	Hellcat Ransomware, Azure Active Directory Persistence	2026-05-13
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	NOBELIUM Group, Azure Active Directory Privilege Escalation	2026-05-13
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	T1021.007 T1072 T1484 T1685 T1686	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD User Enabled And Password Reset	Azure Active Directory Reset password (by admin), Azure Active Directory Update user, Azure Active Directory Enable account	T1098	TTP	Azure Active Directory Persistence, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Successful Authentication From Different Ips	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure Active Directory High Risk Sign-in	Azure Active Directory	T1110.003 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	T1110.001	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13