Techniques
Sample rules
Azure Active Directory PowerShell Sign-in
- source: elastic
- technicques:
- T1078
Description
Identifies a sign-in using the Azure Active Directory PowerShell module. PowerShell for Azure Active Directory allows for managing settings from the command line, which is intended for users who are members of an admin role.
Detection logic
event.dataset:azure.signinlogs and
azure.signinlogs.properties.app_display_name:"Azure Active Directory PowerShell" and
azure.signinlogs.properties.token_issuer_type:AzureAD and event.outcome:(success or Success)