LoFP
/
t1136.003
t1136.003
Title
Tags
administrator may legitimately create service principal. filter as needed.
t1136.003
azure active directory
splunk
administrator may legitimately invite external guest users. filter as needed.
t1136.003
o365 tenant
azure active directory
splunk
administrators may legitimately create azure automation accounts. filter as needed.
t1136.003
azure tenant
splunk
administrators may legitimately create azure automation runbooks. filter as needed.
t1136.003
azure tenant
splunk
business approved changes by known administrators.
t1098.003
t1136.003
T1484.002
o365 tenant
splunk
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
t1136.003
azure active directory
o365 tenant
splunk
organization approved new members
t1136
t1136.003
github
sigma
the creation of a new federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
t1136.003
o365 tenant
splunk
the creation of a new federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
t1136.003
o365 tenant
splunk
the creation of a new federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
t1136.003
o365 tenant
splunk
LoFP
/
t1136.003