azure tenant

Title	Tags
a user with concurrent sessions from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment. also consider the geographic location of the ip addresses and filter out ip space that belong to your organization.	t1185 azure tenant splunk
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.	t1110.001 t1201 aws account azure tenant splunk
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.	t1110.001 T1110.003 T1535 t1586 aws account azure tenant splunk
administrators may legitimately create azure automation accounts. filter as needed.	t1136.003 azure tenant splunk
administrators may legitimately create azure automation runbooks. filter as needed.	t1136.003 azure tenant splunk
administrators may legitimately create azure runbook webhooks. filter as needed.	t1078.004 azure tenant splunk
false positives may occur if users are granting consents as part of legitimate application integrations or setups. it is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.	t1528 azure tenant splunk
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.	t1528 t1566.002 azure tenant splunk
legitimate adminstrative usage of this functionality will trigger this detection.	t1021.007 t1072 t1105 t1202 t1484 t1529 t1562.001 t1562.004 azure tenant splunk
legitimate applications may be granted tenant wide consent, filter as needed.	t1098.003 azure tenant o365 tenant splunk
legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization	t1562 azure tenant splunk
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.	t1078 azure tenant o365 tenant splunk
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.	T1110.003 T1110.004 t1586.003 o365 tenant azure tenant splunk
update_known_false_positives	t1528 azure tenant splunk
users may deny consent for legitimate applications by mistake, filter as needed.	t1528 azure tenant splunk
users may register mfa methods legitimally, investigate and filter as needed.	t1098.005 azure tenant o365 tenant splunk