LoFP
/
T1673
T1673
Title
Tags
administrators may use this command when troubleshooting. tune as needed.
t1005
t1082
T1673
infrastructure
splunk
expected red team assessments or penetration tests may utilize bloodhound tools to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user principal names (upns).
t1069
t1082
t1087
t1201
t1526
t1580
T1673
azure
elastic
expected red team assessments or penetration tests may utilize teamfiltration to evaluate the security posture of azure or microsoft 365 environments. if this is expected behavior, consider adjusting the rule or adding exceptions for specific ip addresses, registered applications, jwt tokens, prts or user
t1069
t1082
t1087
t1110
t1201
t1526
t1580
T1673
azure
elastic
legitimate administrative or security assessment activities may use these user-agents, especially in environments where bloodhound is employed for authorized audits. if this is expected behavior, consider adjusting the rule or adding exceptions for specific user-agents or ip addresses.
t1069
t1082
t1087
t1201
t1526
t1580
T1673
azure
elastic
limited false positives in most environments, however tune as needed.
t1059
t1070
t1110
t1499
t1529
t1562
t1562.001
t1562.003
t1562.004
T1601.001
T1673
infrastructure
splunk
LoFP
/
T1673