Identifies when the Azure role-based access control (Azure RBAC) permissions are modified for an Azure Blob. An
adversary may modify the permissions on a blob to weaken their target's security controls or an administrator may
inadvertently modify the permissions, which could lead to data exposure or loss.
Identifies potential full network packet capture in Azure. Packet Capture is an Azure Network Watcher feature that can
be used to inspect network traffic. This feature can potentially be abused to read sensitive data from unencrypted
Identifies high risk Azure Active Directory (AD) sign-ins by leveraging Microsoft's Identity Protection machine learning
and heuristics. Identity Protection categorizes risk into three tiers: low, medium, and high. While Microsoft does not
provide specific details about how risk is calculated, each level brings higher confidence that the user or sign-in is
Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows
for managing settings from the command line, which is intended for users who are members of an admin role.
In Azure Active Directory (Azure AD), permissions to manage resources are assigned using roles. The Global Administrator
is a role that enables users to have access to all administrative features in Azure AD and services that use Azure AD
identities like the Microsoft 365 Defender portal, the Microsoft 365 compliance center, Exchange, SharePoint Online, and
Skype for Business Online. Attackers can add users as Global Administrators to maintain access and manage all
subscriptions and their settings and resources.
Identifies the creation of suppression rules in Azure. Suppression rules are a mechanism used to suppress alerts
previously identified as false positives or too noisy to be in production. This mechanism can be abused or mistakenly
configured, resulting in defense evasions and loss of security visibility.
Identifies when a new credential is added to an application in Azure. An application may use a certificate or secret
string to prove its identity when requesting a token. Multiple certificates and secrets can be added for an application
and an adversary may abuse this by creating an additional authentication method to evade defenses or persist in an
Identifies when an Azure Automation account is created. Azure Automation accounts can be used to automate management
tasks and orchestrate actions across systems. An adversary may create an Automation account in order to maintain
persistence in their target's environment.
Identifies when an Azure Automation runbook is created or modified. An adversary may create or modify an Azure
Automation runbook to execute malicious code and maintain persistence in their target's environment.
Identifies when an Azure Automation runbook is deleted. An adversary may delete an Azure Automation runbook in order to
disrupt their target's automated business operations or to remove a malicious runbook for defense evasion.
Identifies when an Azure Automation webhook is created. Azure Automation runbooks can be configured to execute via a
webhook. A webhook uses a custom URL passed to Azure Automation along with a data payload specific to the runbook. An
adversary may create a webhook in order to trigger a runbook that contains malicious code.
Identifies changes to container access levels in Azure. Anonymous public read access to containers and blobs in Azure is
a way to share data broadly, but can present a security risk if access to sensitive data is not managed judiciously.
Identifies command execution on a virtual machine (VM) in Azure. A Virtual Machine Contributor role lets you manage
virtual machines, but not access them, nor access the virtual network or storage account they’re connected to. However,
commands can be run via PowerShell on the VM, which execute as System. Other roles, such as certain Administrator roles
may be able to execute commands on a VM as well.
Identifies when an Azure Conditional Access policy is modified. Azure Conditional Access policies control access to
resources via if-then statements. For example, if a user wants to access a resource, then they must complete an action
such as using multi-factor authentication to access it. An adversary may modify a Conditional Access policy in order to
weaken their target's security controls.
Identifies when an Event Hub Authorization Rule is created or updated in Azure. An authorization rule is associated with
specific rights, and carries a pair of cryptographic keys. When you create an Event Hubs namespace, a policy rule named
RootManageSharedAccessKey is created for the namespace. This has manage permissions for the entire namespace and it's
recommended that you treat this rule like an administrative root account and don't use it in your application.
Identifies an Event Hub deletion in Azure. An Event Hub is an event processing service that ingests and processes large
volumes of events and data. An adversary may delete an Event Hub in an attempt to evade detection.
Identifies an invitation to an external user in Azure Active Directory (AD). Azure AD is extended to include
collaboration, allowing you to invite people from outside your organization to be guest users in your cloud account.
Unless there is a business need to provision guest access, it is best practice avoid creating guest users. Guest users
could potentially be overlooked indefinitely leading to a potential vulnerability.
Identifies the deletion of a Frontdoor Web Application Firewall (WAF) Policy in Azure. An adversary may delete a
Frontdoor Web Application Firewall (WAF) Policy in an attempt to evade defenses and/or to eliminate barriers to their
Identifies an Azure Active Directory (AD) Global Administrator role addition to a Privileged Identity Management (PIM)
user account. PIM is a service that enables you to manage, control, and monitor access to important resources in an
organization. Users who are assigned to the Global administrator role can read and modify any administrative setting in
your Azure AD organization.
Identifies modifications to a Key Vault in Azure. The Key Vault is a service that safeguards encryption keys and secrets
like certificates, connection strings, and passwords. Because this data is sensitive and business critical, access to
key vaults should be secured to allow only authorized applications and users.
Identifies when events are deleted in Azure Kubernetes. Kubernetes events are objects that log any state changes.
Example events are a container creation, an image pull, or a pod scheduling on a node. An adversary may delete events in
Azure Kubernetes in an attempt to evade detection.
Identifies the creation of role binding or cluster role bindings. You can assign these roles to Kubernetes subjects
(users, groups, or service accounts) with role bindings and cluster role bindings. An adversary who has permissions to
create bindings and cluster-bindings in the cluster can create a binding to the cluster-admin ClusterRole or to other
high privileges roles.
Identifies the deletion of a Network Watcher in Azure. Network Watchers are used to monitor, diagnose, view metrics, and
enable or disable logs for resources in an Azure virtual network. An adversary may delete a Network Watcher in an
attempt to evade defenses.
Azure Active Directory (AD) Privileged Identity Management (PIM) is a service that enables you to manage, control, and
monitor access to important resources in an organization. PIM can be used to manage the built-in Azure resource roles
such as Global Administrator and Application Administrator. An adversary may add a user to a PIM role in order to
maintain persistence in their target's environment or modify a PIM role to weaken their target's security controls.
Identifies the deletion of a resource group in Azure, which includes all resources within the group. Deletion is
permanent and irreversible. An adversary may delete a resource group in an attempt to evade defenses or intentionally
Identifies when a new service principal is added in Azure. An application, hosted service, or automated tool that
accesses or modifies resources needs an identity created. This identity is known as a service principal. For security
reasons, it's always recommended to use service principals with automated tools rather than allowing them to log in with
a user identity.
Identifies when new Service Principal credentials have been added in Azure. In most organizations, credentials will be
added to service principals infrequently. Hijacking an application (by adding a rogue secret or certificate) with
granted permissions will allow the attacker to access data that is normally protected by MFA requirements.
Identifies a rotation to storage account access keys in Azure. Regenerating access keys can affect any applications or
Azure services that are dependent on the storage account key. Adversaries may regenerate a key as a means of acquiring
credentials to access systems and resources.
Identifies when multi-factor authentication (MFA) is disabled for an Azure user account. An adversary may disable MFA
for a user account in order to weaken the authentication requirements for the account.
Detects when a user grants permissions to an Azure-registered application or when an administrator grants tenant-wide
permissions to an application. An adversary may create an Azure-registered application that requests access to data such
as contact information, email, or documents.
Identifies when a user is added as an owner for an Azure application. An adversary may add a user account as an owner
for an Azure application in order to grant additional permissions and modify the application's configuration using
Identifies when a user is added as an owner for an Azure service principal. The service principal object defines what
the application can do in the specific tenant, who can access the application, and what resources the app can access. A
service principal object is created when an application is given permission to access resources in a tenant. An
adversary may add a user account as an owner for a service principal and use that account in order to define what an
application can do in the Azure AD tenant.