LoFP
/
azure tenant
Title
Tags
a user with concurrent sessions from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
t1185
aws account
azure tenant
splunk
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
t1110
t1110.001
t1201
azure tenant
aws account
splunk
a user with successful authentication events from different ips may also represent the legitimate use of more than one device. filter as needed and/or customize the threshold to fit your environment.
t1110
t1110.001
T1110.003
T1535
t1586
azure tenant
aws account
splunk
administrators may legitimately create azure automation accounts. filter as needed.
t1136
t1136.003
azure tenant
splunk
administrators may legitimately create azure automation runbooks. filter as needed.
t1136
t1136.003
azure tenant
splunk
administrators may legitimately create azure runbook webhooks. filter as needed.
t1078
t1078.004
azure tenant
splunk
an ip address with more than 20 failed authentication attempts in the span of 10 minutes may also be triggered by a broken application.
t1110
t1110.001
T1110.003
azure tenant
splunk
false positives may occur if users are granting consents as part of legitimate application integrations or setups. it is crucial to review the application and the permissions it requests to ensure they align with organizational policies and security best practices.
t1528
azure tenant
splunk
in most organizations, device code authentication will be used to access common microsoft service but it may be legitimate for others. filter as needed.
t1528
t1566
t1566.002
azure tenant
splunk
legitimate applications may be granted tenant wide consent, filter as needed.
t1098
t1098.003
o365 tenant
azure tenant
splunk
legitimate changes to the 'risk-based step-up consent' setting by administrators, perhaps as part of a policy update or security assessment, may trigger this alert, necessitating verification of the change's intent and authorization
t1562
azure tenant
splunk
rapid authentication from the same user using more than 5 different user agents and 3 application ids is highly unlikely under normal circumstances. however, there are potential scenarios that could lead to false positives.
t1078
azure tenant
o365 tenant
splunk
this detection may yield false positives in scenarios where legitimate bulk sign-in activities occur, such as during company-wide system updates or when users are accessing resources from varying locations in a short time frame, such as in the case of vpns or cloud services that rotate ip addresses. filter as needed.
t1110
T1110.003
T1110.004
t1586
t1586.003
o365 tenant
azure tenant
splunk
update_known_false_positives
t1528
azure tenant
splunk
users may deny consent for legitimate applications by mistake, filter as needed.
t1528
azure tenant
splunk
users may register mfa methods legitimally, investigate and filter as needed.
t1098
T1098.005
azure tenant
o365 tenant
splunk
LoFP
/
azure tenant