...
| Expand | ||
|---|---|---|
| ||
Adversaries may use the compromised account to send messages to other accounts in the network of the target organization while creating inbox rules. Source table → |
| Expand | ||
|---|---|---|
| ||
The addition of a new Federated domain may be a normal activity. However, these events need to be followed closely, as they may indicate federated credential abuse or a backdoor via federated identities. Source table → |
| Expand | ||
|---|---|---|
| ||
Adversaries may use brute-force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained. Source table → |
| Expand | ||
|---|---|---|
| ||
This detection is triggered when a user account attempts an excessive number of authentication attempts with a failed status result in a short time window. Source table → |
| Expand | ||
|---|---|---|
| ||
Adversaries may modify authentication mechanisms and processes to access user credentials, bypass authentication mechanisms or enable otherwise unwarranted access to accounts. Source table → |
| Expand | ||
|---|---|---|
| ||
This activity is not necessarily malicious. However, these events need to be followed closely. Attackers are often known to use this technique so that they can bypass the MFA system. Source table → |
| Expand | ||
|---|---|---|
| ||
This detection is triggered when new Service Principal credentials have been added in Azure. Source table → |
| Expand | ||
|---|---|---|
| ||
The mailbox audit is responsible for logging specified mailbox events. Attackers may attempt to bypass this mechanism to conceal actions taken. Source table → |