Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
This article lists all Defender for Identity security alerts in the Defender format. These security alerts are based on alerts sent by Defender for Identity to the Microsoft Defender portal.
Defender for Identity generates alerts in both the Defender format and the classic format. The Defender format provides an alert structure that is consistent with other Microsoft Defender products. Both formats are based on the same underlying detections from Defender for Identity sensors, but they differ in structure, naming, and categorization. You can identify the format of each alert on the security alerts page by checking the Detection source field.
Alert name mapping
Alert names in the XDR structure are different than the alert names in the classic structure, but alert IDs stay consistent between the two alert structures.
For more information, see Security alerts in Microsoft Defender XDR and Investigate alerts in Microsoft Defender XDR.
Alerts by category
Defender for Identity XDR security alerts are divided by category, or phase, as seen in a typical cyber-attack kill chain.
Use the links in the following table to jump directly to the relevant category and review the alerts available for each category:
- Credential Access alerts
- Defense Evasion alerts
- Discovery alerts
- Execution alerts
- Initial Access alerts
- Lateral Movement alerts
- Persistence alerts
- Privilege Escalation alerts
- Command and Control alerts
Credential Access alerts
This section describes alerts indicating that a malicious actor might be attempting to steal account names and passwords from your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
A compromised user account signed inDescription: Credential stuffing led to a successful sign in, confirming an account has been compromised and accessed by an unauthorized party. |
High | T1078 | xdr_CredentialStuffingToolObserved |
Anomalous OAuth device code authentication activityDescription: An OAuth Device Code authentication was detected in an unusual context based on user behavior and sign-in patterns. Due to the design of Device Code flows, this activity requires immediate investigation as it may indicate unauthorized token issuance or post-authentication abuse. |
High | T1528, T1078.004 | xdr_AnomalousDeviceCodeAuth |
AS-REP roastingDescription: Multiple attempts to sign in without preauthentication were detected. This behavior might indicate an Authentication Server Response (AS-REP) roasting attack, which targets the Kerberos authentication protocol, specifically accounts that have turned off preauthentication. |
High | T1558.004 | xdr_AsrepRoastingAttack |
Honeytoken ActivityDescription: Honeytoken user attempted to sign in |
High | T1098 | xdr_HoneytokenSignInAttempt |
Multiple failed Okta authentication attempts detectedDescription: Multiple failed Okta authentication attempts were detected for user {AccountUpn}. A total of {TotalFailedRequestCounts} failed attempts originated from IP address {IPAddress} within a 2 minute window. The attempts involved authentication actions {ActionType}. This activity indicates a brute force attack or credential stuffing attempt. The user agent string {UserAgent} was used across all attempts. |
High | T1110 | xdr_OktaMultipleFailedLogons |
Multiple failed Okta sign in attempts followed by successful sign in with anomalous user behaviorDescription: Multiple failed sign-in attempts followed by a successful sign-in were observed for user {AccountUpn} within a short time span. The activity included high-risk properties {RiskyBehaviors}, classified by Okta as {RiskLevel}. All sign-in attempts originated from a single IP address {IPAddress}. |
High | T1110, T1078 | xdr_OktaMultipleFailedLogonsFollowedBySignIn |
NEGOEX relay attackDescription: An attacker used NEGOEX to impersonate a server that a client wants to connect to so that the attacker can then relay the authentication process to any target. This allows the attacker to gain access to the target. NEGOEX is an authentication protocol designed to authenticate user accounts to Microsoft Entra joined devices. |
High | T1187, T1557.001 | xdr_NegoexRelayAttack |
Okta FastPass phishing attack detectedDescription: A successful Okta FastPass phishing attack was detected for user {AccountUpn}. An initial phishing attempt was declined at {phishingAttemptTime}, but the compromised session {SessionId} was later used for authentication actions at {Timestamp}. The session originated from IP address {PhishingIPAddress} and was subsequently reused from {ReuseIPAddress} with user agent {ReuseUserAgent}. Risk level: {SessionReuseRisk}. |
High | T1539, T1550.004 | xdr_OktaFastPassPhishingAttempt |
Okta privileged role assigned to applicationDescription: {ActorAliasName} assigned {RoleDisplayName} role to applictaion: {ApplicationDisplayName} |
High | T1003.006 | xdr_OktaPrivilegedRoleAssignedToApplication |
Possible account secret leakDescription: A failed attempt to sign in to a user account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The user account's credentials might have been leaked or are in the possession of an unauthorized party. |
High | T1078 | xdr_CredentialStuffingToolObserved |
Possible adversary-in-the-middle (AiTM) attack detected (ConsentFix)Description: A possible token theft has been detected. Threat actor tricked a user into granting consent or sharing an authorization code through social engineering or adversary-in-the-middle (AiTM) techniques. A stolen code is exchanged for access tokens. Threat actor then impersonates the user without a password or multifactor authentication (MFA). This allows unauthorized access to Microsoft 365 services and sensitive data. |
High | T1557 | xdr_PossibleAitMConsentFix |
Possible AS-REP roasting attackDescription: A suspicious Kerberos authentication request was made to accounts that do not require pre-authentication. An attacker might be performing an AS-REP roasting attack to steal passwords and gain further access into the network. |
Medium | T1558.004 | xdr_AsrepRoastingAttack |
Possible Golden SAML attackDescription: A privileged user account authenticated with characteristics that might be related to a Golden SAML attack. |
High | T1071, T1606.002 | xdr_PossibleGoldenSamlAttack |
Possible golden ticket attackDescription: A suspicious Kerberos ticket granting service (TGS) request was observed. An attacker might be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. |
High | T1558.001 | xdr_PossibleGoldenTicketAttacks |
Possible golden ticket attack (CVE-2021-42287 exploitation)Description: A suspicious Kerberos ticket-granting ticket (TGT) containing anomalous Kerberos Privilege Attribute Certificate (PAC) was observed. An attacker may be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. This alert triggers when an attacker forges or modifies a Kerberos PAC in an attempt to exploit the CVE-2021-42287 vulnerability. Successful exploitation allows attackers to escalate privileges and impersonate highly privileged accounts by causing the Key Distribution Center (KDC) to create a service ticket with a higher privilege level than that of a compromised account. The targeted domain controller is patched with KB5008380, which addresses this security bypass vulnerability. |
High | T1558.001 | xdr_PossibleGoldenTicketAttack_SuspiciousPac |
Possible golden ticket attack (suspicious ticket)Description: A suspicious Kerberos ticket-granting service (TGS) request originating from the IP address {SourceIpAddress} has been detected. This TGS ticket request is suspected to contain a forged or modified Kerberos ticket-granting ticket (TGT). An attacker might be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. |
High | T1558.001 | xdr_PossibleGoldenTicketAttack_SuspiciousTicket |
Possible Kerberoasting attackDescription: One or more suspicious Kerberos ticket-granting service requests (TGS-REQ), originating from the IP address {SourceIpAddress}, have been detected. This activity might indicate a potential Kerberoasting attack, in which an attacker requests Kerberos service tickets for accounts with Service Principal Names (SPNs) in the Active Directory. The attacker then extracts and attempts to crack the encrypted tickets offline to obtain the plaintext passwords of those accounts. These targeted accounts might have been compromised, allowing the attacker to move laterally within the organization, escalate privileges, steal data, or set up backdoors for future access and persistence. |
High | T1558.003 | xdr_PossibleKerberoastingAttack |
Possible Kerberoasting attack following a suspicious LDAP queryDescription: Following a recent alert regarding a suspected Kerberoasting-related Lightweight Directory Access Protocol (LDAP) query, one or more suspicious Kerberos ticket-granting service requests (TGS-REQ) originating from the IP address {SourceIpAddress} have been detected. This activity might indicate a potential Kerberoasting attack, where an attacker enumerates accounts with Service Principal Names (i.e. Kerberoastable accounts) in Active Directory and then requests Kerberos service tickets for these accounts. The attacker then extracts and attempts to crack the encrypted tickets offline to obtain the plaintext passwords of those accounts. |
High | T1558.003, T1087.002 | xdr_PossibleKerberoastingFollowingSuspiciousLdapQuery |
Possible Kerberoasting attack using a stealthy LDAP searchDescription: One or more stealthy Lightweight Directory Access Protocol (LDAP) queries exposing Service Principal Names (SPNs), followed by suspicious Kerberos ticket-granting service requests (TGS-REQ) originating from the IP address {SourceIpAddress}, have been detected. This activity might indicate an attacker's attempt at a stealthier Kerberoasting attack by avoiding the use of the '(servicePrincipalName=*)' LDAP query filter. |
High | T1558.003, T1087.002 | xdr_PossibleStealthyLdapKerberoastingAttack |
Possible Kerberos key list attackDescription: One or more suspicious Kerberos ticket-granting service (TGS) requests originating from the IP address {SourceIpAddress} have been detected. An attacker might be using stolen credentials of a read-only domain controller (RODC)-owned KRBTGT account to carry out a Kerberos key list attack. As part of this attack, the attacker forges an RODC golden ticket for a targeted account and then sends a specially crafted Kerberos TGS request containing the forged ticket. In response, the attacker may obtain the targeted accounts's long-term secret (e.g., NT hash). |
High | T1558.001 | xdr_PossibleKerberosKeyListAttack |
Possible NetSync attackDescription: NetSync is a module in Mimikatz, a post-exploitation tool, that requests the password hash of a target device's password by pretending to be a domain controller. An attacker might be performing malicious activities inside the network using this feature to gain access to the organization's resources. |
High | T1003.006 | xdr_PossibleNetsyncAttack |
Possible OAuth code theft detected through consent abuseDescription: A possible OAuth authorization code theft has been detected. Threat actors tricked a user into granting consent or sharing an authorization code through social engineering or adversary-in-the-middle (AiTM) techniques. A stolen code is exchanged for access tokens. Threat actors then impersonate the user without a password or multifactor authentication (MFA). This allows unauthorized access to Microsoft 365 services and sensitive data. |
High | T1557 | xdr_PossibleOauthCodeTheft |
Possible overpass-the-hash attackDescription: A possible overpass-the-hash attack was detected. In this type of attack, an attacker uses the NT hash of a user account or other Kerberos keys to obtain Kerberos tickets, which allows unauthorized access to network resources. |
High | T1550.002 | xdr_PossibleOverPassTheHash |
Possible service principal account secret leakDescription: A failed attempt to sign in to a service principal account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possibly compromised service principal account signed inDescription: A possibly compromised service principal account signed in. A credential stuffing attempt was successfully authenticated, indicating that the service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
High | T1078 | xdr_CredentialStuffingToolObserved |
Possibly compromised service principal account signed inDescription: A possibly compromised service principal account signed in. An automated tool used for reconnaissance successfuly logged into a service principal account, indicating that the service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
High | T1078 | xdr_ReconnaissanceToolObsereved |
Possibly compromised user account signed inDescription: A possibly compromised user account signed in. An automated tool used for reconnaissance successfuly logged into a user account, indicating that the user account's credentials might have been leaked or are in the possession of an unauthorized party. |
High | T1078 | xdr_ReconnaissanceToolObsereved |
Suspected brute-force attack (Kerberos, NTLM)Description: Suspicious brute force has been detected. A threat actor might have carried out brute force on your Active Directory and possibly found passwords of users, could lead to serious security threats and data breach. |
Medium | T1110.001 | xdr_OnPremBruteforce |
Suspected brute-force attack on Lightweight Directory Access Protocol (LDAP) authenticationDescription: A series of suspicious login attempts from a single device was detected against a single user account. |
Medium | T1110.001 | xdr_LdapBindBruteforce |
Suspected password spray attack (Kerberos, NTLM)Description: Suspicious password spray has been detected. A threat actor might have carried out password spray on your Active Directory and possibly found passwords of users, could lead to serious security threats and data breach. |
Medium | T1110.003 | xdr_OnPremPasswordSpray |
Suspected password spray attack on Lightweight Directory Access Protocol (LDAP) authenticationDescription: A single device was observed attempting logins across multiple user accounts, indicating a malicious authentication pattern. |
Medium | T1110.003 | xdr_LdapBindBruteforce |
Suspicious creation of ESXi groupDescription: A suspicious VMWare ESXi group was created in the domain. This might indicate that an attacker is trying to get more permissions for later steps in an attack. |
High | T1098 | xdr_SuspiciousUserAdditionToEsxGroup |
Suspicious DMSA related activity detectedDescription: A suspicious DMSA related activity was detected. This may indicate a compromised managed account or an attempt to exploit an DMSA account. |
High | T1555 | xdr_SuspiciousDmsaAction |
Suspicious email app consent grantDescription: A suspicious email application consent grant has been detected from a possibly compromised user account. An attacker might have leveraged the illicit consent grant to use the legitimate email application for unauthorized access to and collection of user data, persistence, or to maliciously send email on behalf of the user. |
Medium | T1110.004, T1110.003 | xdr_MfaTamperingAndEmailSoftwareAbuse |
Suspicious Entra account enablement after disruptionDescription: An account that was previously disabled as part of a disruption or containment action was subsequently re‑enabled. This behavior is highly suspicious and may indicate an attempt by a threat actor to restore access to a compromised identity or bypass containment measures. |
High | T1098 | xdr_SuspiciousAccountEnabled |
Suspicious Golden gMSA related activityDescription: A suspicious read activity was made to sensitive group Managed Service Account (gMSA) objects, which could be associated with a threat actor trying to leverage the Golden gMSA attack. |
High | T1555 | xdr_SuspiciousGoldenGmsaActivity |
Suspicious Kerberos authentication (AP-REQ)Description: A suspicious Kerberos application request (AP-REQ) was detected. An attacker might be using stolen credentials of a service account to attempt a silver ticket attack. In this kind of attack, an attacker forges a service ticket (Ticket Granting Service or TGS) for a specific service within a network, which allows the attacker to access that service without needing to interact with the domain controller after the initial compromise. |
High | T1558.002 | xdr_SuspiciousKerberosApReq |
Suspicious Kerberos authentication (AS-REQ)Description: A suspicious Kerberos authentication request (AS-REQ) for a ticket-granting ticket (TGT) was observed. This anomalous TGT request is suspected to have been specially crafted by an attacker. The attacker might be using stolen credentials to leverage this attack. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_AsReq |
Suspicious Kerberos authentication (TGS-REQ)Description: A suspicious Kerberos ticket-granting service (TGS) ticket request has been observed. This anomalous TGS request is suspected to have been specially crafted by an attacker, possibly using a malicious tool. The attacker might also be using stolen credentials to carry out this attack. Anomalous Kerberos TGS requests are commonly observed in various attack techniques, including Kerberoasting, remote code execution (RCE), credential dumping, among others. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_TgsReq |
Suspicious Kerberos authentication (TGT request using TGS-REQ)Description: A suspicious Kerberos ticket-granting service request (TGS-REQ) involving the Service for User to Self (S4U2self) extension was observed. This anomalous TGS request is suspected to have been specially crafted by an attacker. S4U2self is an extension that allows a service to obtain a Kerberos service ticket on behalf of another user, for itself. Successful authentication using this extension-when targeting the krbtgt service-can result in valid TGTs being issued on behalf of the targeted user. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_S4U2selfTgsReq |
Suspicious login attempt using possibly compromised account certificateDescription: A suspicious login attempt using a possibly compromised account certificate has been observed. Previous attempts most likely have already occurred to steal or add the certificate to the service principal so the threat actor could use it in the future. The threat actor might have compromised the Entra service account certificate and used it for service principal account sign-in. If not mitigated, a compromised service principal account sign-in on an Entra service could lead to privilege escalation, account takeover, credential exposure, and unauthorized access to proprietary data and files. |
High | T1649 | xdr_SuspiciousLoginWithExchange |
Suspicious network connection over Encrypting File System Remote ProtocolDescription: A suspicious Encrypting File System Remote Protocol (EFSRPC) connection was observed from {SourceIpAddress}. This activity is associated with PetitPotam (CVE-2021-36942), where an attacker makes EFSRPC calls to a domain controller in an attempt to coerce NTLM authentication. If successfully exploited, it could allow credential theft and lateral movement. For more information about the vulnerability, see https://security.microsoft.com/intel-explorer/cves/CVE-2021-36942. |
Medium | T1187 | xdr_SuspiciousConnectionOverEFSRPC |
Suspicious NTLM authenticationDescription: One or more suspicious NTLM authentication attempts originating from the IP address {SourceIpAddress} have been detected. This anomalous NTLM authentication activity is suspected to have been specially crafted by an attacker, possibly as part of an attack involving a malicious tool. The attacker might also be using stolen credentials to carry out this attack. Anomalous NTLM behavior is commonly observed in various attack techniques, including pass-the-hash, reconnaissance, brute-force, remote code execution (RCE), and others. |
Medium | T1550.002, T1087.002 | xdr_SuspiciousNtlmAuthentication |
Suspicious on-prem account enablement after disruptionDescription: An account that was previously disabled as part of a disruption or containment action was subsequently re‑enabled. This behavior is highly suspicious and may indicate an attempt by a threat actor to restore access to a compromised identity or bypass containment measures. |
High | T1098 | xdr_SuspiciousAccountEnabled |
Suspicious OS switch sign-inDescription: An unexpected change in operating system is observed during a user sign‑in while the client profile remains consistent. Such shifts are uncommon for stable environments. This might indicate token replay, session hijacking, or authentication artifact reuse from a different platform. A potential identity compromise might be in progress through anomalous changes in the user’s device context. Go through the Recommended Action section to immediately investigate and mitigate associated risks. |
Medium | T1078 | xdr_SuspiciousOsSwitchSignIn |
Suspicious SAM Account Name ChangeDescription: Detected a suspicious change of the SAM account name, which may indicate an attempt to exploit Kerberos authentication via NTP time manipulation (Timeroasting). This technique can allow attackers to brute-force or replay Kerberos tickets, leading to credential compromise and lateral movement. |
Medium | T1110.001, T1558.003 | xdr_SuspiciousChangeOfSamName |
Suspicious shared client infrastructure activityDescription: A suspicious shared client infrastructure activity has been observed. The suspicious sign‑in activity came from a client infrastructure with an unusual spike in distinct users and accessed resources. Repeated multifactor authentication (MFA) failures were followed by a successful MFA sign‑in, suggesting persistent authentication attempts from shared or automated infrastructure and potential account compromise. Go through the Recommended Action section to immediately investigate and mitigate associated risks. |
Medium | T1078 | xdr_SuspiciousSharedClientInfraActivity |
Suspicious sign in with CSRF speedbump triggerDescription: Microsoft Entra ID detected a successful risky sign-in following CSRF (cross-site request forgery) speedbump trigger alert. This typically occurs when the sign-in flow deviates from expected browser behavior, such as session or cookie inconsistencies, missing or invalid forged tokens, or rapid automated request patterns. |
Medium | T1557, T1185 | xdr_CsrfSpeedbumpToRiskyLogin |
Defense Evasion alerts
This section describes alerts indicating that a malicious actor might be attempting to evade detection in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Attempt to disable Defender for Identity service principal observedDescription: An actor attempted to disable or impair the security application responsible for generating identity and authentication alerts. This behavior is consistent with adversaries seeking to evade detection after initial access, maintain persistence, or disrupt monitoring by modifying, stopping, or uninstalling security services. Such activity often occurs following credential compromise, privilege escalation, or lateral movement. |
High | T1562.001 | xdr_SuspectedMDITampering |
Skipped MFA on remembered device from uncommon ISP sign-inDescription: A suspicious Microsoft Entra sign-in from an internet service provider (ISP) the account hasn't used in the past 30 days skipped multi-factor authentication (MFA) on a remembered device. This indicates that an attacker might have used a stolen persistent cookie replayed the attacker infrastructure instead of the user's normal network. It's important to investigate and mitigate this urgently because skipped MFA could lead to potential security risks such as unauthorized access, session hijacking, and data breach. |
Medium | T1550.004, T1078.004 | xdr_SuspiciousMfaSkip |
Suspicious access denial to view primary group ID of an objectDescription: An access control list (ACL) denied access to view the primary group ID of an object. An attacker might have compromised a user account and is looking to hide the group of a backdoor user. |
Medium | T1564.002 | xdr_SuspiciousDenyAccessToPrimaryGroupId |
Suspicious account linkDescription: An account was linked through a cross tenant administrative action. The action was performed in a suspicious way that may indicate the account may be used in an attempt to bypass MFA. |
Medium | T1556 | xdr_SuspiciousAccountLink |
Suspicious property lock deactivated on Microsoft Entra applicationDescription: The servicePrincipalLockConfiguration.isEnabled property of a Microsoft Entra application or one of its associated service principals was modified. Disabling this lock removes essential built-in protections that guard against unauthorized credential rotation, redirect URI tampering, and illicit permission grants. Changes to this setting are rare during standard administrative operations and often signal suspicious activity. Threat actors can deliberately disable the lock to weaken the application's security posture, creating an opening for lateral movement or privilege escalation within the environment. |
Medium | T1562.001, T1671 | xdr_SuspiciousPropertyLockEntra |
Discovery alerts
This section describes alerts indicating that a malicious actor might be attempting to gather information about your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Anomalous Samr activity (Preview)Description: Anomalous Security Account Manager Remote (SAMR) protocol activity detected, indicating potential discovery attempts within the network. An attacker might be attempting to bypass security controls for discovery. |
Medium | T1069, T1087 | xdr_SamrReconnaissanceSecurityAlert |
Okta sync service principal enumeratedDescription: A suspicious LDAP (Lightweight Directory Access Protocol) enumeration to find the Okta sync service account was detected. This behavior might indicate that a user account has been compromised and an attacker is using it to carry out malicious activities. |
High | T1087.002 | xdr_OktaSyncServicePrincipalEnumeration |
Possible Active Directory Certificate Services enumerationDescription: One or more potential Active Directory Certificate Services (AD CS) enumeration activities originating from the IP address {SourceIpAddress} have been detected. This enumeration might indicate an attacker's reconnaissance within the organization, potentially searching for AD CS vulnerabilities or misconfigurations, which could enable subsequent attack stages such as ESC techniques. |
Medium | T1649, T1087 | xdr_PossibleActiveDirectoryCertificateServicesEnumeration |
Possible Active Directory enumeration via ADWSDescription: One or more potential Active Directory (AD) enumeration activities via Active Directory Web Services (ADWS) have been detected. This enumeration might indicate an attacker's reconnaissance within the organization, potentially enabling subsequent stages of attacks. |
Medium | T1087.002, T1069.002, T1615 | xdr_PossibleActiveDirectoryEnumerationAdws |
Possible Kerberoasting LDAP reconnaissanceDescription: One or more suspicious Kerberoasting-related Lightweight Directory Access Protocol (LDAP) discovery activities originating from the IP address {SourceIpAddress} have been detected. This activity might indicate a potential Kerberoasting attack, where an attacker enumerates accounts with Service Principal Names (i.e. Kerberoastable accounts) in Active Directory and then requests Kerberos service tickets for these accounts. The attacker then extracts and attempts to crack the encrypted tickets offline to obtain the plaintext passwords of those accounts. These targeted accounts might have been compromised, allowing the attacker to move laterally within the organization, escalate privileges, steal data, or set up backdoors for future access and persistence. Investigate immediately to mitigate the associated security risks. |
High | T1087.002, T1558.003 | xdr_PossibleKerberoastingLdapRecon |
Possible SPN enumeration via ADWSDescription: One or more potential Service Principal Name (SPN) scanning activities via Active Directory Web Services (ADWS) have been detected. This enumeration might indicate an attacker's reconnaissance within the organization and could be used in attacks such as Kerberoasting. |
Medium | T1087.002 | xdr_PossibleSpnEnumerationAdws |
Possible SPN enumeration via LDAPDescription: One or more potential Service Principal Name (SPN) scanning activities via Lightweight Directory Access Protocol (LDAP), originating from the IP address {SourceIpAddress}, have been detected. This enumeration might indicate an attacker's reconnaissance within the organization and could be used in attacks such as Kerberoasting. |
Medium | T1087.002 | xdr_PossibleSpnEnumerationLdap |
Reconnaissance tool was observedDescription: A failed attempt to sign in to a user account by a tool used for reconnaissance was detected. An attacker might be preforming reconnaissance activities in preparation for an attack. |
High | T1087 | xdr_ReconnaissanceToolObsereved |
Suspected account enumeration (Kerberos, NTLM, AD FS)Description: Suspected account enumeration has been detected. A threat actor may have enumerated accounts in Active Directory to identify and map out weaknesses or vulnerabilities. If not mitigated, this activity can lead to serious security threats and data breach. |
Medium | T1087.002 | xdr_SuspectedAccountEnumeration |
Suspicious addition of device on-premisesDescription: A suspicious addition of device on-premises has been observed. This could pose several risks such as compliance issues, unauthorized access to sensitive or confidential work-related data or intellectual property, malware or phishing attack, or data breach. Investigate immediately to mitigate associated security risks. |
High | T1098.005 | xdr_SuspiciousAdditionOfOnPremDevice |
Suspicious Entra device join or registrationDescription: A user was suspiciously registered or joined into a new device to Entra, originating from an IP address identified by Microsoft Threat Intelligence. An attacker might have compromised the user account to perform persistence and lateral movement. Investigate immediately to mitigate associated security risks. |
High | T1098.005 | xdr_SuspiciousDeviceRegistration |
Suspicious LDAP queryDescription: A suspicious Lightweight Directory Access Protocol (LDAP) query associated with a known attack tool was detected. An attacker might be performing reconnaissance for later steps. |
High | T1087.002 | xdr_SuspiciousLdapQuery |
Suspicious LDAP query targeting sensitive attributesDescription: A suspicious LDAP query containing sensitive attributes that are uncommon for the source device has been detected in Active Directory. Attackers might be attempting to determine and plan their lateral movement in the domain. Active Directory LDAP attribute queries are used by attackers to gain critical information about the domain environment. |
Medium | T1087.002, T1069.002 | xdr_SuspiciousSensitiveAttributeLdapQuery |
Suspicious Server Message Block (SMB) enumeration from untrusted hostDescription: Suspicious SMB session enumeration targeting the MDI sensor. This indicates adversary reconnaissance aimed at identifying active user sessions on the host. |
Medium | T1049 | xdr_SmbSessionEnumeration |
Execution alerts
This section describes alerts indicating that a malicious actor might be attempting to run malicious code in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious remote service installationDescription: A suspicious service installation was detected. This service was created in order to execute potentially malicious commands. An attacker might be using stolen credentials to leverage this attack. This might also indicate that a pass-the-hash attack was used. |
Medium | T1569.002 | xdr_SuspiciousRemoteServiceInstallation |
Initial Access alerts
This section describes alerts indicating that a malicious actor might be attempting to gain initial access to your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Okta anonymous user accessDescription: Anonymous User access was detected. |
High | T1078 | xdr_OktaAnonymousUserAccess |
Password spray against OneLoginDescription: A suspicious IP address attempted to authenticate to OneLogin using multiple valid accounts. An attacker might be attempting to find valid user account credentials for later follow-on behavior. |
Medium | T1110.003 | xdr_OneLoginPasswordSpray |
Potential Credential Abuse in Entra ID AuthenticationDescription: An authentication attempt was detected that aligns with patterns commonly associated with credential abuse or identity attacks. This activity may indicate an attempt of advanced attack techniques targeting identity infrastructure. |
High | T1078.004 | xdr_SuspiciousEntraAuthentication |
Suspicious account sign-in and configuration changesDescription: Suspicious sign-in and configuration changes has been observed from this account. This behavior might indicate that the user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousSignInAndUserTampering |
Suspicious Entra cookie request from suspicious IPAddressDescription: A successful sign-in originating from a threat intelligence (TI)-associated IP address attempted to request a Primary Refresh Token (PRT) cookie in Microsoft Entra. This activity may indicate an attacker-controlled host attempting to abuse PRT authentication. |
Medium | T1078.001 | xdr_SuspiciousEntraSignIn |
Suspicious Entra P2P certificate request from suspicious IPAddressDescription: A successful sign-in originating from a threat intelligence (TI)-associated IP address attempted to request a peer-to-peer (P2P) certificate in Microsoft Entra. This activity may indicate an attacker-controlled host attempting to abuse certificate-based authentication. |
Medium | T1078.001 | xdr_SuspiciousEntraSignIn |
Suspicious Graph API request made from Entra ID sync applicationDescription: An unexpected Graph API request made by Entra ID synchronization service application was detected. This behavior might indicate that the application was compromised and is being used for malicious activities. Go through the recommended actions to investigate immediately and mitigate associated risks. |
Medium | T1087, T1069 | xdr_SuspiciousConnectSyncProvisioningGraphAPIActivity |
Suspicious Okta account enumerationDescription: A suspicious IP address enumerated Okta accounts. An attacker might be attempting to perform discovery activities for later follow-on behavior. |
High | T1078.004 | xdr_SuspiciousOktaAccountEnumeration |
Suspicious OneLogin MFA fatigueDescription: A suspicious IP address sent several OneLogin multifactor authentication (MFA) challenge attempts for a user account. An attacker might have compromised the user's account credentials and is trying to flood and bypass the MFA mechanism. |
Medium | T1110.003 | xdr_OneLoginMfaFatigue |
Suspicious Sign-In from Unusual User Agent and IP AddressDescription: A successful sign-in using an uncommon user agent and a potentially malicious IP address was detected in Microsoft Entra. This activity may indicate a password spray or credential stuffing attack originating from the attacker-controlled IP, or in rare cases, a compromised account being used for unauthorized access. |
Medium | T1078.001 | xdr_SuspiciousEntraSignIn |
Suspicious sign-in from unusual user agent and IP address using device code flowDescription: A successful sign-in was detected using an uncommon or atypical user agent combined with a potentially risky IP address. This pattern is frequently associated with password spray, credential stuffing, or other unauthorized authentication attempts originating from attacker-controlled infrastructure. In some cases, it may also indicate the use of compromised credentials for unauthorized access. |
Medium | T1078.001 | xdr_SuspiciousEntraSignIn |
Suspicious sign-in from unusual user agent and IP address using PowerShellDescription: A successful sign-in was detected using an uncommon or atypical user agent combined with a potentially risky IP address. This pattern is frequently associated with password spray, credential stuffing, or other unauthorized authentication attempts originating from attacker-controlled infrastructure. In some cases, it may also indicate the use of compromised credentials for unauthorized access. |
Medium | T1078.001 | xdr_SuspiciousEntraSignIn |
Suspicious sign-in made to an admin accountDescription: An admin account sign-in was performed in a suspicious manner. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousAdminAccountSignIn |
Suspicious sign-in made using a malicious certificateDescription: A user signed in to the organization using a malicious certificate. This behavior might indicate that a user account was compromised and is being used for malicious activities, and that a malicious domain with AAD Internals certificate is registered in the organization. |
High | T1078.001 | xdr_SignInUsingMaliciousCertificate |
Suspicious sign-in observed from Entra ID sync applicationDescription: A suspicious sign-in from the Entra ID synchronization service application has been detected. This behavior might indicate that the application was compromised and is being used for malicious activities. Go through the recommended actions to investigate immediately and mitigate associated risks. |
Medium | T1078.001 | xdr_SuspiciousConnectSyncProvisioningSignIn |
Suspicious sign-in observed from Entra ID sync application to an uncommon resource appDescription: A suspicious sign-in from the Entra ID synchronization service application to an uncommon resource application has been detected. This behavior might indicate that the application was compromised and is being used for malicious activities. Go through the recommended actions to investigate immediately and mitigate associated risks. |
Medium | T1078.001 | xdr_SuspiciousConnectSyncProvisioningSignIn |
Suspicious sign-in observed to Entra ID sync application using an uncommon user agentDescription: A suspicious sign-in from the Entra ID synchronization service application using an uncommon user agent has been detected. This behavior might indicate that the application was compromised and is being used for malicious activities. Go through the recommended actions to investigate immediately and mitigate associated risks. |
Medium | T1078.001 | xdr_SuspiciousConnectSyncProvisioningSignIn |
Suspicious sign-in to a web app following MFA phone number tampering activityDescription: A suspicious sign-in to a web app was observed following configuration changes in a user account. This behavior might indicate that the user account was compromised and is being used for malicious activities. |
High | T1078.001 | xdr_MfaPhoneNumberTamperingToSuspiciousWebAppSignIn |
Suspicious sign-in to Microsoft Sentinel app made using Entra ID sync accountDescription: A Microsoft Entra ID Connect sync account signed in to a Microsoft Sentinel resource in an unusual manner. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousMicrosoftSentinelAccessByEntraIdSyncAccount |
Suspicious tool used by a Microsoft Entra Sync accountDescription: A suspicious authentication to a Microsoft Entra ID account typically used for syncing operations was detected. This behavior might indicate that a user account has been compromised and an attacker is using it to carry out malicious activities. |
High | T1078.004 | xdr_SuspiciousToolSyncAccountSignIn |
Suspicious user agent sign-in on Microsoft EntraDescription: A suspicious user agent signed-in on Microsoft Entra. This might indicate that the user account was compromised and is being used for malicious activities. |
Medium | T1078.001 | xdr_SuspiciousEntraSignIn |
Suspicious user configuration change activity from Entra ID sync applicationDescription: A suspicious user configuration change from the Entra ID synchronization service application has been observed. This behavior might indicate that the application was compromised and is being used for malicious activities. Go through the recommended actions to investigate and mitigate associated risks immediately. |
Medium | T1078.001 | xdr_ConnectSyncProvisioningNonSyncActivity |
Sync account risky sign-in to an uncommon appDescription: A Microsoft Entra ID Connect sync account that signed in to a risky session performed unusual activities. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
High | T1078.001 | xdr_RiskyEntraIDSyncAccount |
Lateral Movement alerts
This section describes alerts indicating that a malicious actor might be attempting to move between resources or identities in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Possible authentication silo bypassDescription: A possible attempt to bypass authentication silo policies and authenticate against a silo-protected service was detected on this device. |
High | T1550 | xdr_PossibleAuthenticationSiloBypass |
Possible takeover of a Microsoft Entra seamless SSO accountDescription: A Microsoft Entra seamless SSO (single sign-on) account object, AZUREADSSOACC, was modified suspiciously. An attacker might be moving laterally from the on-premises environment to the cloud. |
High | T1556 | xdr_SuspectedAzureSsoAccountTakeover |
Suspected pass-the-ticket attackDescription: A Pass-the-Ticket (PtT) AKA ticket replay attack has been detected on this account. A ticket for the account {SourceAccountName} originating from the device {TargetDeviceName} has been re-used on the device {DeviceName}. In this attack, a threat actor steals a valid Kerberos authentication ticket and reuses it to access other devices across the network. By replaying the stolen ticket, the threat actor can impersonate the user, move through the network, and escalate privileges without needing the account password. |
Medium | T1550 | xdr_PassTheTicketAttack |
Suspicious activity after password syncDescription: A user performed an uncommon action on an application after a recent password sync. An attacker might have compromised a user's account to perform malicious activities in the organization. |
Medium | T1021.007 | xdr_SuspiciousActivityAfterPasswordSync |
Suspicious authentication attemptDescription: A suspicious authentication attempt has been observed. This anomalous authentication request is suspected to have been specially crafted by an attacker. The attacker might be using stolen hash or clear text password for authentication, possibly leveraging pass-the-hash or over-pass-the-hash attack. Investigate immediately to protect the account and organization from security breach. |
Medium | T1550.002 | xdr_SuspiciousAuthAttempt |
Suspicious Kerberos SPN requestDescription: A suspicious Kerberos SPN request has been observed. This anomalous request is suspected to have been specially crafted by an attacker. The attacker might be using stolen credentials from a compromised user and and is leveraging them for a Kerberoasting attack. |
Medium | T1558.003 | xdr_SuspiciousAuthAttempt |
Suspicious resource-based constrained delegation (RBCD) authenticationDescription: A Kerberos authentication pattern consistent with Resource-Based Constrained Delegation (RBCD) abuse was detected. The account '{DelegatingMachine}' requested a Kerberos service ticket to '{ServiceName}' while impersonating user '{SourceAccountName}' via delegation. RBCD abuse is a sophisticated attack technique that allows an attacker to impersonate users when accessing services hosted on a targeted account. This behavior might indicate an attacker's attempt to achieve lateral movement, privilege escalation, and establish persistence within the organization. |
Medium | T1558 | xdr_SuspiciousRBCDAuthentication |
Suspicious SMB NTLM authentication attemptDescription: A suspicious Server Message Block (SMB) NTLM (New Technology LAN Manager) authentication attempt was observed from {SourceIpAddress} IP address. An attacker might have specially-crafted this anomalous authentication request using stolen credentials. This might also indicate a pass-the-hash attack or a brute-force attack, a potential security breach, or compromise within your network. |
Medium | T1021.002 | xdr_SuspiciousSmbNtlmAuthenticationAttempt |
Persistence alerts
This section describes alerts indicating that a malicious actor might be attempting to maintain their foothold in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
OAuth app created a userDescription: A new user account was created by an OAuth application. An attacker might have compromised this application for persistence in the organization. |
Medium | T1136.003 | xdr_OAuthAppCreatedAUser |
Okta privileged API token createdDescription: {ActorAliasName} created an API token. If stolen, it can grant the attacker access with the user's permission. |
High | T1078.004 | xdr_OktaPrivilegedApiTokenCreated |
Okta privileged API token updatedDescription: {ActorAliasName} updated a Privileged API token Configuration to be more promiscuous. If stolen, it can grant the attacker access with the user's permission. |
High | T1078.004 | xdr_OktaPrivilegedApiTokenUpdated |
Shadow credentials added to accountDescription: A shadow credential injection has been detected on the account. This could be an indication of persistence or lateral movement. Attackers inject shadow credentials to Active Directory (AD) accounts to gain or maintain access to the account they're hacking. |
High | T1098 | xdr_ShadowCredentialsAttack |
Shadow Credentials Added to Account and Used for AuthenticationDescription: An account had shadow credentials injected into it, and they have been used for authentication. When this happens, attackers could bypass traditional credential theft methods to gain persistent access to a user account. Aside from persistence, this could also be an indication of lateral movement. |
High | T1098 | xdr_ShadowCredentialsAttack |
Suspicious addition of ACL on-premisesDescription: Suspicious addition of ACL on-premises has been observed. This can lead to unauthorized access, gaining elevated permissions, account and resource compromise, lateral movement, among others. Investigate immediately to mitigate associated security risks. |
High | T1098 | xdr_SuspiciousAdditionOfAcl |
Suspicious addition of alternative phone numberDescription: A new alternative phone number was added for a user or users in suspicious way. An attacker might have done this to manipulate multi-factor authentication and leverage mobile phone authentication to fraudulently gain persistence in the organization. |
Medium | T1556.006 | xdr_SuspiciousMFAAddition |
Suspicious addition of emailDescription: New email was added for multiple users in suspicious way. An attacker might have done this to gain persistence in the organization. |
Medium | T1556.006 | xdr_SuspiciousMFAAddition |
Suspicious change to primary group IDDescription: A user's primary group ID was modified. An attacker might have compromised a user account and assigned a backdoor user with strong permissions in the domain for later use. |
High | T1098 | xdr_SuspiciousChangeInUserPrimaryGroupId |
Suspicious Entra device join or registrationDescription: A user was suspiciously registered or joined into a new device to Entra. An attacker might have compromised the user account to perform persistence and lateral movement. Investigate immediately to mitigate associated security risks. |
Medium | T1098.005 | xdr_SuspiciousAdditionOfEntraDevice |
Suspicious Entra role additionDescription: A user was suspiciously assigned to sensitive role. An attacker might have compromised the user account to perform persistence and lateral movement. Investigate immediately to mitigate associated security risks. |
Medium | T1098.003 | xdr_SuspiciousAdditionOfRoleToUser |
Suspicious guest user invitationDescription: A new guest user was invited and accepted in a suspicious way. An attacker might have compromised a user account in the organization and is using it to add an unauthorized user for persistence purposes. |
Medium | T1136.003 | xdr_SuspiciousGuestUserInvitation |
Suspicious Intune device registration activityDescription: Microsoft Entra ID detected a potentially suspicious device registration attempt in Microsoft Intune. The device enrollment activity deviates from normal user or organizational behavior and may indicate unauthorized device onboarding or account misuse. Review the registering user, device details, location, and authentication context to confirm whether the registration was legitimate. |
Medium | T1098.005 | xdr_SuspiciousIntuneDeviceRegistration |
Suspicious MFA tampering activity by admin accountDescription: An administrator account performed multifactor authentication (MFA) tampering activity after a risky authentication. An attacker might have compromised an admin account to manipulate MFA settings for possible lateral movement activity. |
Low | T1556.006 | xdr_AdminAccountTakeover |
Suspicious resource-based constrained delegation (RBCD) attribute changeDescription: One or more suspicious Resource-Based Constrained Delegation (RBCD)-related Active Directory (AD) attribute changes were detected. Such activity is often an initial step in RBCD attacks and might allow an attacker to impersonate users when accessing the targeted account affected by the RBCD attribute change. This behavior might indicate an attacker's attempt to achieve privilege escalation and establish persistence within the organization. |
Medium | T1098 | xdr_SuspiciousRbcdAttributeChange |
User was created and assigned to sensitive roleDescription: A new user was created and assigned to sensitive role. An attacker might have compromised the user account to perform persistence and lateral movement. |
Medium | T1136.003, T1098.003 | xdr_SuspiciousUserCreationAndSensitiveRoleAssignment |
Privilege Escalation alerts
This section describes alerts indicating that a malicious actor might be attempting to gain higher-level permissions in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Okta privilege escalation following anomalous sign in by {ActorAliasName}Description: An anomalous Okta sign in attempt (event {AnomalousLoginEventId}) at {AnomalousLoginTime} from IP address {IPAddress} was followed by privileged action {PrivilegedActionType} within the same session {SessionId} at {Timestamp}. Time delta between events: {DeltaSeconds}s. |
High | T1110, T1548 | xdr_OktaPrivilegeEscalationFollowingSignIn |
Okta session impersonation leading to privileged action for {AccountUpn}Description: An Okta impersonation session (event {ImpersonationStartEventId}) was initiated at {ImpersonateSessionTime} from IP address {IPAddress}. A privileged action {PrivilegedActionType} occurred within the same session {SessionId} at {Timestamp}. The time between events was {DeltaSeconds}s |
High | T1548, T1134 | xdr_OktaUserSessionImpersonationPrivilegedAction |
Risky sign in followed by privilege role grantDescription: A user account flagged with a high risk Microsoft Entra sign in assessment was assigned to a high privilege directory role such as Global Administrator or Privileged Role Administrator shortly after logging in, using the Add member to role operation. This sequence strongly suggests a compromised credential followed by rapid privilege escalation. |
Medium | T1078.004, T1098.003 | xdr_RiskySignInFollowedByPrivilegedRoleGrant |
Suspicious addition and removal of elevated privilegesDescription: A high-privilege Entra ID role (for example, Global Administrator or Privileged Role Administrator) was granted to user or service principal and was quickly revoked after. This rapid role assignment and removal pattern is uncommon in regular administrative workflows and might indicate an attempt to evade detection during privilege escalation. Investigate this alert immediately to prevent or mitigate any unauthorized access, privilege escalation, and security breach. |
Medium | T1078.004 | xdr_SuspiciousAdditionAndRemovalOfPrivilegedRole |
Suspicious certificate enrollment exploitation abusing ESC15Description: A certificate was enrolled suspiciously. An attacker might be exploiting a vulnerability (known as ESC) to escalate privileges in the forest. |
High | T1068 | xdr_SuspectedCertificateEnrollmentESC15 |
Suspicious Entra domain addition observedDescription: A domain addition classified as suspicious by Microsoft Threat Intelligence has been observed. |
Medium | T1484.002 | xdr_SuspiciousEntraDomainAddition |
Suspicious SPN was added to a userDescription: A suspicious service principal name (SPN) was added to a sensitive user. An attacker might be attempting to gain elevated access for lateral movement within the organization. |
High | T1098 | xdr_SuspiciousAdditionOfSpnToUser |
Command and Control alerts
This section describes alerts that indicate when a malicious actor might be trying communicate with systems they have already compromised in order to control them.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious DNS query from a device in the organizationDescription: A device in the organization performed a DNS query to a domain name which is identified as suspicious by Microsoft Threat Intelligence. |
Medium | T1071.004 | xdr_SuspiciousActiveDirectoryDnsQuery |
Suspicious Entra Graph API query observedDescription: Suspicious Entra Graph API activity was observed, originating from an IP address identified by Microsoft Threat Intelligence. |
Medium | T1071.001 | xdr_SuspiciousEntraGraphCall |