Azure

An adversary could escalate privileges or attempt to persist by adding an account to a role outside of Privilege Identity Management (PIM) in Azure AD.

Source table ➝ CLOUD.AZURE.AD.AUDIT

An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.

This alert is triggered when a login is flagged as "at risk" by Azure Active Directory.

Source table ➝ CLOUD.AZURE.AD.SIGNIN

An adversary may attempt to get a listing of accounts on a system or within an environment.

This alert detects downloads of user information from the Azure AD Portal.

Source table ➝ CLOUD.AZURE.AD.AUDIT

An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and external services.

This alert is triggered when a user sign in is tagged as High Aggregate Risk by Azure AD. The high aggregate risk score could be based on other features of the sign-in or the fact that more than one detection was fired for that sign-in.

Source table ➝ CLOUD.AZURE.AD.SIGNIN

An adversary could obtain and abuse credentials of existing accounts as a means of gaining Initial Access. Compromised credentials may be used to bypass access controls and for persistent access to remote systems and externally services.

This alert is triggered when a user sign in is tagged as High Risk by Azure AD.

Source table ➝ CLOUD.AZURE.AD.SIGNIN