Detects successful authentication from potential clients using legacy authentication via user agent strings. This could be a sign of MFA bypass using a password spray attack.

A self-hosted runner is a system that you deploy and manage to execute jobs from GitHub Actions on GitHub.com. This rule detects changes to self-hosted runners configurations in the environment. The self-hosted runner configuration changes once detected, it should be validated from GitHub UI because the log entry may not provide full context.

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Detects when a user creates action secret for the organization, environment, codespaces or repository.

Detects when an account is disabled or blocked for sign in but tried to log in

Detect when users are authenticating without MFA being required.

Detect failed authentications from countries you do not operate out of.

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Detect when a user has reset their password in Azure AD

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Detect successful authentications from countries you do not operate out of.

Alert on when legecy authentication has been used on an account

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.

Detect when users in your Azure AD tenant are authenticating to other Azure AD Tenants.

Detects when a configuration change is made to an applications AppID URI.

Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.

Monitor and alert for Bitlocker key retrieval.

Detects when changes are made to PIM roles

Monitor and alert for device registration or join events where MFA was not performed.

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Monitor and alert for Sign-ins by unknown devices from non-Trusted locations.

Monitor and alert for sign-ins where the device was non-compliant.

Detects when a user is added to a privileged role.

Monitor and alert for users added to device admin roles.

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Detect failed attempts to sign in to disabled accounts.

Detects when a new admin is created.

Detects AWS root account usage