LoFP
/
t1136.003
t1136.003
Title
Tags
administrator may legitimately create service principal. filter as needed.
t1136.003
azure active directory
splunk
administrator may legitimately invite external guest users. filter as needed.
t1136.003
azure active directory
splunk
administrators may legitimately create azure automation accounts. filter as needed.
t1136
t1136.003
azure tenant
splunk
administrators may legitimately create azure automation runbooks. filter as needed.
t1136
t1136.003
azure tenant
splunk
certain users or applications may create multiple service principals in a short period of time for legitimate purposes. filter as needed.
t1136.003
o365 tenant
azure active directory
splunk
organization approved new members
t1136
t1136.003
github
sigma
the creation of a new federated domain is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a similar or different cloud provider.
t1136
t1136.003
o365 tenant
splunk
the creation of a new federation is not necessarily malicious, however these events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
t1136
t1136.003
o365 tenant
splunk
the creation of a new federation is not necessarily malicious, however this events need to be followed closely, as it may indicate federated credential abuse or backdoor via federated identities at a different cloud provider.
t1136
t1136.003
o365 tenant
splunk
while this search has no known false positives, it is possible that an aws admin has legitimately created a login profile for another user.
t1136
t1136.003
aws account
splunk
LoFP
/
t1136.003