Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Detect when authentications to important application(s) only required single-factor authentication

Detects guest users being invited to tenant by non-approved inviters

Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Detects when an account is disabled or blocked for sign in but tried to log in

Detect when users are authenticating without MFA being required.

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Detect failed authentications from countries you do not operate out of.

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Detect when a user has reset their password in Azure AD

Detects when PIM alerts are set to disabled.

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Detect successful authentications from countries you do not operate out of.

Alert on when legecy authentication has been used on an account

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

User Added to an Administrator's Azure AD Role

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Detects when an app is assigned Azure AD roles, such as global adminsitrator, or Azure RBAC roles, such as subscription owner.

Detects when a configuration change is made to an applications AppID URI.

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Monitor and alert for Bitlocker key retrieval.

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Detects when changes are made to PIM roles

Detects when highly privileged delegated permissions are granted on behalf of all users

Monitor and alert for device registration or join events where MFA was not performed.

Detects when an end user consents to an application

Detects when end user consent is blocked due to risk-based consent.

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

Monitor and alert for sign-ins where the device was non-compliant.

Monitor and alert on group membership additions of groups that have CA policy modification access

Detects when a user is added to a privileged role.

Monitor and alert on group membership removal of groups that have CA policy modification access

Monitor and alert for users added to device admin roles.

Detection for when multi factor authentication has been disabled, which might indicate a malicious activity to bypass authentication mechanisms.

Identifies when Rule Collections (Application, NAT, and Network) is being modified or deleted.

Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.

Identifies when a service account is modified or deleted.

Identifies when a Firewall Policy is Modified or Deleted.

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Identifies IPs from which users grant access to other users on azure resources and alerts when a previously unseen source IP address is used.

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Detect failed attempts to sign in to disabled accounts.