LoFP LoFP / t1201

t1201

TitleTags
a user with more than 20 failed authentication attempts in the span of 5 minutes may also be triggered by a broken application.
administrators or power users may use this command for troubleshooting.
commonly used by administrators for troubleshooting
expected red team assessments or penetration tests may utilize bloodhound tools to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user principal names (upns).
expected red team assessments or penetration tests may utilize teamfiltration to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user
legitimate administration activities
legitimate administrative or security assessment activities may use these user-agents, especially in environments where teamfiltration is employed for authorized audits. if this is expected behavior, consider adjusting the rule or adding exceptions for specific user-agents or ip addresses.
legitimate powershell scripts