audit_logs

App Assigned To Azure RBAC/Microsoft Entra Role

Nov 20, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003 ·

Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

User Risk and MFA Registration Policy Updated

Aug 21, 2024 · attack.persistence ·

Share on:

Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.

Multi Factor Authentication Disabled For User Account

Aug 21, 2024 · attack.credential-access attack.persistence ·

Share on:

Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.

Account Created And Deleted Within A Close Time Frame

Aug 12, 2024 · attack.defense-evasion attack.t1078 ·

Share on:

Detects when an account was created and deleted in a short period of time.

Added Credentials to Existing Application

Aug 12, 2024 · attack.t1098.001 attack.persistence ·

Share on:

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Added Owner To Application

Aug 12, 2024 · attack.t1552 attack.credential-access ·

Share on:

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

App Granted Microsoft Permissions

Aug 12, 2024 · attack.credential-access attack.t1528 ·

Share on:

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

App Granted Privileged Delegated Or App Permissions

Aug 12, 2024 · attack.persistence attack.privilege-escalation attack.t1098.003 ·

Share on:

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Application AppID Uri Configuration Changes

Aug 12, 2024 · attack.persistence attack.credential-access attack.privilege-escalation attack.t1552 attack.t1078.004 ·

Share on:

Detects when a configuration change is made to an applications AppID URI.

Application URI Configuration Changes

Aug 12, 2024 · attack.t1528 attack.t1078.004 attack.persistence attack.credential-access attack.privilege-escalation ·

Share on:

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Azure Domain Federation Settings Modified

Aug 12, 2024 · attack.initial-access attack.t1078 ·

Share on:

Identifies when an user or application modified the federation settings on the domain.

Azure Subscription Permission Elevation Via AuditLogs

Aug 12, 2024 · attack.initial-access attack.t1078 ·

Share on:

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Bitlocker Key Retrieval

Aug 12, 2024 · attack.defense-evasion attack.t1078.004 ·

Share on:

Monitor and alert for Bitlocker key retrieval.

Bulk Deletion Changes To Privileged Account Permissions

Aug 12, 2024 · attack.persistence attack.t1098 ·

Share on:

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

CA Policy Removed by Non Approved Actor

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

CA Policy Updated by Non Approved Actor

Aug 12, 2024 · attack.defense-evasion attack.persistence attack.t1548 attack.t1556 ·

Share on:

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.