LoFP
/
azure
azure rule
Title
Tags
a legitimate forwarding rule.
t1140
azure
sigma
a legitimate new admin account being created
t1078
t1078.004
azure
sigma
a new cloudshell may be created by a system administrator.
t1059
azure
sigma
a non malicious user is unaware of the proper process
t1078
t1078.004
azure
sigma
a rare hash collision.
t1589
azure
sigma
a service principal may be created by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. service principal additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1550
azure
elastic
access level modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. access level modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1190
t1526
azure
elastic
account disabled or blocked in error
t1078
t1078.004
azure
sigma
actual admin using pim.
t1078
t1078.004
azure
sigma
actual mailbox rules that are moving items based on their workflow.
t1140
azure
sigma
administrator adding a legitimate temporary access pass
t1078
t1078.004
azure
sigma
administrator disabling pim alerts as an active choice.
t1078
azure
sigma
administrator may have forgotten to review the device.
azure
sigma
application being deleted may be performed by a system administrator.
t1489
azure
sigma
application credential added from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
application credential added may be performed by a system administrator.
azure
sigma
application credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. application credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1550
azure
elastic
application deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1489
azure
sigma
application gateway being modified or deleted may be performed by a system administrator.
azure
sigma
application gateway modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
application security group being modified or deleted may be performed by a system administrator.
azure
sigma
application security group modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
applications that are being used as part of automated testing or a legacy application that cannot use any other modern authentication flow
t1078
azure
sigma
applications that are input constrained will need to use device code flow and are valid authentications.
t1078
azure
sigma
approved activity performed by an administrator.
t1098
t1098.005
azure
sigma
authorization rule additions or modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. authorization rule additions or modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
T1530
t1537
azure
elastic
authorized modification by administrators
t1556
azure
sigma
automation account has been blocked or disabled
t1078
t1078.004
azure
sigma
azure front web application firewall (waf) policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. azure front web application firewall (waf) policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
azure kubernetes admissions controller may be done by a system administrator.
t1078
t1552
t1552.007
azure
sigma
azure kubernetes cronjob/job may be done by a system administrator.
t1053
t1053.003
azure
sigma
based on the high-frequency threshold, it would be unlikely for a legitimate user to exceed the threshold for failed totp code attempts in a short time-span.
t1110
azure
elastic
blob permissions may be modified by system administrators. verify that the configuration change was expected. exceptions can be added to this rule to filter expected behavior.
t1222
azure
elastic
clusterroles/roles being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
clusterroles/roles modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
command execution on a virtual machine may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. command execution from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1059
azure
elastic
connecting to a vpn, performing activity and then dropping and performing additional activity.
t1078
azure
sigma
container registry being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
container registry created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
deletion of a resource group may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. resource group deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1485
t1562
azure
elastic
deletion of diagnostic settings may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. diagnostic settings deletion from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
device or device configuration being modified or deleted may be performed by a system administrator.
t1485
t1565
t1565.001
azure
sigma
device or device configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1485
t1565
t1565.001
azure
sigma
dns zone modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1565
t1565.001
azure
sigma
dns zone modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1565
t1565.001
azure
sigma
event deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
t1562.001
azure
sigma
event hub deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. event hub deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
events deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. events deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
federation settings being modified or deleted may be performed by a system administrator.
t1078
azure
sigma
federation settings modified from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
azure
sigma
firewall being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1562
t1562.004
azure
sigma
firewall modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
t1562.004
azure
sigma
firewall policy being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1562
t1562.007
azure
sigma
firewall policy deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. firewall policy deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
firewall policy modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
t1562.007
azure
sigma
firewall rule configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
firewall rule configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
full network packet capture may be done by a system or network administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. full network packet capture from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1040
azure
elastic
global administrator additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. global administrator additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1098
azure
elastic
guest user invitations may be sent out by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. guest user invitations from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
azure
elastic
if known behavior is causing false positives, it can be exempted from the rule.
t1053
t1053.003
t1074
t1078
t1552
t1552.007
gcp
aws
azure
sigma
if this was approved by system administrator or confirmed user action.
t1078
t1078.004
azure
sigma
if this was approved by system administrator.
t1078
t1078.004
t1110
t1556
t1556.006
azure
sigma
increase of users in the environment
t1078
azure
sigma
investigate if licenses have expired.
t1078
azure
sigma
investigate if potential generic account that cannot be removed.
t1078
azure
sigma
investigate if threshold setting in pim is too low.
t1078
azure
sigma
investigate if user is performing mfa at sign-in.
t1078
azure
sigma
investigate where if active time period for a role is set too short.
t1078
azure
sigma
investigate where users are being assigned privileged roles outside of privileged identity management and prohibit future assignments from there.
t1078
azure
sigma
it's recommended that you rotate your access keys periodically to help keep your storage account secure. normal key rotation can be exempted from the rule. an abnormal time frame and/or a key rotation from unfamiliar users, hosts, or locations should be investigated.
t1528
azure
elastic
key being modified or deleted may be performed by a system administrator.
t1552
t1552.001
azure
sigma
key modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1552
t1552.001
azure
sigma
key vault being modified or deleted may be performed by a system administrator.
t1552
t1552.001
azure
sigma
key vault modifications may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. key vault modifications from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1552
azure
elastic
key vault modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1552
t1552.001
azure
sigma
known legacy accounts
t1078
t1078.004
t1110
azure
sigma
known updates by administrators.
azure
sigma
kubernetes cluster being created or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
kubernetes cluster created or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
legit administrative action
t1078
azure
sigma
legit administrative pim setting configuration changes
t1078
t1078.004
azure
sigma
legitimate aad health ad fs service instances being deleted in a tenant
t1578
t1578.003
azure
sigma
legitimate ad fs servers added to an aad health ad fs service instance
t1578
azure
sigma
legitimate authorized activity.
azure
sigma
legtimate administrator actions of adding members from a role
t1078
t1078.004
azure
sigma
legtimate administrator actions of removing members from a role
t1098
azure
sigma
misconfigured role permissions
t1548
t1556
azure
sigma
misconfigured systems
t1078
t1078.004
t1110
azure
sigma
network policy being modified and deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
network policy being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
network security configuration being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
network security configuration modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
network watcher deletions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. network watcher deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
owner being removed may be performed by a system administrator.
azure
sigma
owner removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
pim (privileged identity management) generates this event each time 'eligible role' is enabled.
t1078
t1098
t1098.003
azure
sigma
pods deletions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
pods may be deleted by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. pods deletions by unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
elastic
point-to-site vpn being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
point-to-site vpn modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
rolebinding/clusterrolebinding being modified and deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
rolebinding/clusterrolebinding modification from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
rule collections (application, nat, and network) being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1562
t1562.004
azure
sigma
rule collections (application, nat, and network) modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
t1562.004
azure
sigma
secrets being modified or deleted may be performed by a system administrator.
t1552
t1552.001
kubernetes
azure
sigma
secrets modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1552
t1552.001
gcp
azure
sigma
sensitive objects may be accessed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. sensitive objects accessed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
service account being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
t1531
azure
sigma
service account misconfigured
t1078
t1078.004
t1110
azure
sigma
service account modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1531
azure
sigma
service principal being created may be performed by a system administrator.
azure
sigma
service principal being removed may be performed by a system administrator.
azure
sigma
service principal created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
service principal credential additions may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be making changes in your environment. credential additions from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1496
azure
elastic
service principal removed from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
sign-ins using powershell may be done by a system or network administrator. verify whether the username, hostname, and/or resource name should be signing into your environment. sign-ins from unfamiliar users or hosts should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1078
azure
elastic
suppression rule being created may be performed by a system administrator.
azure
sigma
suppression rule created from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
suppression rules can be created legitimately by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. suppression rules created by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
t1562
azure
elastic
this detection is low-volume and is seen infrequently in most organizations. when this detection appears it's high risk, and users should be remediated.
t1528
azure
sigma
unlikely
t1003
t1003.001
t1003.002
t1003.004
t1003.005
t1003.006
t1005
t1007
t1008
t1012
t1014
t1016
t1018
t1021
t1021.002
t1021.003
t1021.006
t1027
t1027.005
t1033
t1036
t1036.003
t1036.005
t1036.007
t1041
t1046
t1047
t1048
t1048.001
t1053
t1053.003
t1053.005
t1055
t1055.001
t1056
t1057
t1059
t1059.001
t1059.002
t1059.003
t1068
t1070
t1071
t1071.001
t1071.004
t1078
t1082
t1083
t1087
t1090
t1090.001
t1090.003
t1105
t1106
t1112
t1115
t1123
t1127
t1132
t1132.001
t1133
t1134
t1134.001
t1134.002
t1134.004
t1136
t1136.001
t1136.002
t1137
t1137.002
t1140
t1190
t1202
t1203
t1204
t1210
t1213
t1213.003
t1216
t1218
t1218.001
t1218.008
t1218.010
t1218.011
t1218.013
t1219
t1486
t1489
t1490
t1496
t1498
t1499
t1499.001
t1505
t1505.003
t1526
t1528
t1543
t1543.003
t1546
t1546.008
t1546.015
t1548
t1548.003
t1550
t1550.003
t1552
t1552.004
t1553
t1553.004
t1555
t1556
t1557
t1557.001
t1558
t1558.003
t1562
t1562.001
t1562.002
t1562.010
t1564
t1564.004
t1566
t1569
t1569.002
t1570
t1574
t1574.001
t1574.002
t1586
t1587
t1587.001
t1588
t1588.002
t1590
t1590.001
t1590.002
t1620
t1649
windows
opencanary
okta
m365
azure
bitbucket
macos
linux
sigma
user changing to a new device, location, browser, etc.
t1078
azure
sigma
user has been put in acception group so they can use legacy authentication
t1078
t1078.004
t1110
azure
sigma
user removed from the group is approved
t1548
t1556
azure
sigma
users actually login but miss-click into the deny button when mfa prompt.
t1078
t1078.004
t1110
t1621
azure
sigma
using an ip address that is shared by many users
t1090
azure
sigma
valid change
t1003
t1098
t1098.003
azure
sigma
virtual network being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
virtual network device being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
virtual network device modification or deletion may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment. virtual network device modification or deletion by unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
elastic
virtual network device modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
virtual network modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
vpn connection being modified or deleted may be performed by a system administrator. verify whether the user identity, user agent, and/or hostname should be making changes in your environment.
azure
sigma
vpn connection modified or deleted from unfamiliar users should be investigated. if known behavior is causing false positives, it can be exempted from the rule.
azure
sigma
vulnerability scanners
t1078
t1078.004
t1110
t1190
t1505
t1505.001
azure
sigma
we recommend investigating the sessions flagged by this detection in the context of other sign-ins from the user.
t1078
t1090
t1098
t1110
t1528
t1606
azure
sigma
when a new application owner is added by an administrator
t1552
azure
sigma
when and administrator is making legitimate appid uri configuration changes to an application. this should be a planned event.
t1078
t1078.004
t1552
azure
sigma
when and administrator is making legitimate uri configuration changes to an application. this should be a planned event.
t1078
t1078.004
t1528
azure
sigma
when credentials are added/removed as part of the normal working hours/workflows
t1098
t1098.001
azure
sigma
when the permission is legitimately needed for the app
t1098
t1098.003
t1528
azure
sigma
LoFP
/
azure