Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.

Read More

Detects when an account was created and deleted in a short period of time.

Read More

Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.

Read More

Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.

Read More

Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD

Read More

Detects when a configuration change is made to an applications AppID URI.

Read More

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Read More

Identifies when an user or application modified the federation settings on the domain.

Read More

Monitor and alert for Bitlocker key retrieval.

Read More

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Read More

Monitor and alert on conditional access changes where non approved actor removed CA Policy.

Read More

Monitor and alert on conditional access changes. Is Initiated by (actor) approved to make changes? Review Modified Properties and compare "old" vs "new" value.

Read More

Monitor and alert for changes to the device registration policy.

Read More

Detects when changes are made to PIM roles

Read More

Detects when highly privileged delegated permissions are granted on behalf of all users

Read More

Detects when an end user consents to an application

Read More

Detects when end user consent is blocked due to risk-based consent.

Read More

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Read More

Detects guest users being invited to tenant by non-approved inviters

Read More

Monitor and alert on conditional access changes.

Read More

Detect when a user has reset their password in Azure AD

Read More

Detects when PIM alerts are set to disabled.

Read More

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Read More

Detects when a new admin is created.

Read More

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Read More

Monitor and alert on group membership additions of groups that have CA policy modification access

Read More

Detects when a user is added to a privileged role.

Read More

Monitor and alert on group membership removal of groups that have CA policy modification access

Read More

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Read More

Monitor and alert for users added to device admin roles.

Read More

Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Read More