Data Source: Azure Active Directory
Description
All Azure Active Directory events
Details
| Property |
Value |
| Source |
Azure AD |
| Sourcetype |
azure:monitor:aad |
| Separator |
operationName |
| Name ▲▼ |
Technique ▲▼ |
Type ▲▼ |
| Azure Active Directory High Risk Sign-in |
Password Spraying, Cloud Accounts |
TTP |
| Azure AD Authentication Failed During MFA Challenge |
Cloud Accounts, Cloud Accounts, Multi-Factor Authentication Request Generation |
TTP |
| Azure AD Concurrent Sessions From Different Ips |
Browser Session Hijacking |
TTP |
| Azure AD Device Code Authentication |
Steal Application Access Token, Spearphishing Link |
TTP |
| Azure AD High Number Of Failed Authentications For User |
Password Guessing |
TTP |
| Azure AD High Number Of Failed Authentications From Ip |
Password Guessing, Password Spraying |
TTP |
| Azure AD Multi-Source Failed Authentications Spike |
Password Spraying, Credential Stuffing, Cloud Accounts |
Hunting |
| Azure AD Multiple Users Failing To Authenticate From Ip |
Password Spraying, Credential Stuffing, Cloud Accounts |
Anomaly |
| Azure AD PIM Role Assigned |
Additional Cloud Roles |
TTP |
| Azure AD PIM Role Assignment Activated |
Additional Cloud Roles |
TTP |
| Azure AD Service Principal New Client Credentials |
Additional Cloud Credentials |
TTP |
| Azure AD Successful Authentication From Different Ips |
Password Guessing, Password Spraying |
TTP |
| Azure AD Successful PowerShell Authentication |
Cloud Accounts, Cloud Accounts |
TTP |
| Azure AD Successful Single-Factor Authentication |
Cloud Accounts, Cloud Accounts |
TTP |
| Azure AD Unusual Number of Failed Authentications From Ip |
Password Spraying, Credential Stuffing, Cloud Accounts |
Anomaly |
Supported Apps
Required Output Fields
-
dest
-
user
-
src
-
vendor_account
-
vendor_product
Source: GitHub | Version: 1
