Identifies when an organization doesn't have the proper license for PIM and is out of compliance.

Read More

Identifies when the same privilege role has multiple activations by the same user.

Read More

Identifies when a privilege role can be activated without performing mfa.

Read More

Identifies when a user has been assigned a privilege role and are not using that role.

Read More

Identifies when a privilege role assignment has taken place outside of PIM and may indicate an attack.

Read More

Identifies when an account hasn't signed in during the past n number of days.

Read More

Identifies an event where there are there are too many accounts assigned the Global Administrator role.

Read More

Indicates user activity that is unusual for the user or consistent with known attack patterns.

Read More

Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.

Read More

Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.

Read More

Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.

Read More

Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.

Read More

Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser

Read More

Detects sign-in with properties that are unfamiliar to the user. The detection considers past sign-in history to look for anomalous sign-ins.

Read More

Detects creation of a local user account using the net command with 'Admin' in the name - this technique is used by Vice Society ransomware gang to create bogus user accounts that attempt to blend in with an administrative user account naming convention.

Read More

Detects a when net.exe is called with a password in the command line

Read More

Detects attempts to enable the root account via "dsenableroot"

Read More

The Reset-ComputerMachinePassword cmdlet changes the computer account password that the computers use to authenticate to the domain controllers in the domain. You can use it to reset the password of the local computer.

Read More

Detects successful logon from public IP address via RDP. This can indicate a publicly-exposed RDP port.

Read More

Detects successful logon from public IP address via SMB. This can indicate a publicly-exposed SMB port.

Read More

A login from a public IP can indicate a misconfigured firewall or network boundary.

Read More

Detects suspicious failed logins with different user accounts from a single source system

Read More

Detects suspicious failed logins with different user accounts from a single source system

Read More

Detect when authentications to important application(s) only required single-factor authentication

Read More

Detects guest users being invited to tenant by non-approved inviters

Read More

This rule triggers on user accounts that are added to the local Administrators group, which could be legitimate activity or a sign of privilege escalation activity

Read More

Detects attempts to enable the guest account using the sysadminctl utility

Read More

This method uses uncommon error codes on failed logons to determine suspicious activity and tampering with accounts that have been disabled or somehow restricted.

Read More

Detects when PIM alerts are set to disabled.

Read More

User Added to an Administrator's Azure AD Role

Read More

Detects successful logon from public IP address via RDP, SMB, etc. This can indicate a publicly-exposed RDP or SMB port.

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing

Read More

Detects BGP failures which may be indicative of brute force attacks to manipulate routing.

Read More

Detects juniper BGP missing MD5 digest. Which may be indicative of brute force attacks to manipulate routing.

Read More

Detects LDP failures which may be indicative of brute force attacks to manipulate MPLS labels

Read More

Detects risky authencaition from a non AD registered device without MFA being required.

Read More

Identifies when an user or application modified the federation settings on the domain.

Read More

Detects suspicious computer name samtheadmin-{1..100}$ generated by hacktool

Read More

Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.

Read More

Identifies when suspicious SAML activity has occurred in AWS. An adversary could gain backdoor access via SAML.

Read More

Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects when there is a interruption in the authentication process.

Read More

Identifies when an admission controller is executed in GCP Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.

Read More

Detects when an account was created and deleted in a short period of time.

Read More

Device code flow is an OAuth 2.0 protocol flow specifically for input constrained devices and is not used in all environments. If this type of flow is seen in the environment and not being used in an input constrained device scenario, further investigation is warranted. This can be a misconfigured application or potentially something malicious.

Read More

Resource owner password credentials (ROPC) should be avoided if at all possible as this requires the user to expose their current password credentials to the application directly. The application then uses those credentials to authenticate the user against the identity provider.

Read More

Detects when sign-ins increased by 10% or greater.

Read More

Detects when successful sign-ins increased by 10% or greater.

Read More

Detects when a Microsoft Cloud App Security reported a risky sign-in attempt due to a login associated with an impossible travel.

Read More

Detects suspicious processes logging on with explicit credentials

Read More

Detects when a Microsoft Cloud App Security reported when a user signs into your sanctioned apps from a risky IP address.

Read More