Azure Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	Password Spraying	Hunting	Active Directory Password Spraying, Compromised User Account	2025-02-10
Azure Active Directory High Risk Sign-in	Azure Active Directory	Password Spraying Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-11-14
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2025-02-10
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD AzureHound UserAgent Detected	Azure Active Directory MicrosoftGraphActivityLogs, Azure Active Directory NonInteractiveUserSignInLogs	Cloud Account Cloud Service Discovery	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2025-01-06
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	Impair Defenses	TTP	Azure Active Directory Account Takeover	2024-11-14
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	Browser Session Hijacking	TTP	Azure Active Directory Account Takeover, Compromised User Account	2024-11-14
Azure AD Device Code Authentication	Azure Active Directory	Steal Application Access Token Spearphishing Link	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD External Guest User Invited	Azure Active Directory Invite external user	Cloud Account	TTP	Azure Active Directory Persistence	2024-11-14
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	Additional Email Delegate Permissions Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-11-14
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2024-11-14
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	Password Guessing	TTP	Azure Active Directory Account Takeover, Compromised User Account	2025-02-10
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	Password Guessing Password Spraying	TTP	Azure Active Directory Account Takeover, Compromised User Account, NOBELIUM Group	2025-02-10
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	Multi-Factor Authentication Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	Password Spraying Credential Stuffing Cloud Accounts	Hunting	Azure Active Directory Account Takeover, NOBELIUM Group	2025-02-10
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	Valid Accounts	Anomaly	Azure Active Directory Account Takeover	2024-11-14
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2024-11-14
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	Cloud Accounts Cloud Accounts Multi-Factor Authentication Request Generation	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	Cloud Account	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2024-11-14
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	Cloud Account	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2024-11-14
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	Password Spraying Credential Stuffing Cloud Accounts	Anomaly	Azure Active Directory Account Takeover	2025-02-10
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	Trust Modification	TTP	Azure Active Directory Persistence	2025-02-10
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	Trust Modification	TTP	Azure Active Directory Persistence	2025-02-10
Azure AD New MFA Method Registered	Azure Active Directory Update user	Device Registration	TTP	Azure Active Directory Persistence	2025-02-10
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	Multi-Factor Authentication	TTP	Azure Active Directory Account Takeover, Compromised User Account	2025-02-10
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	Steal Application Access Token	TTP	Azure Active Directory Account Takeover	2024-11-14
Azure AD PIM Role Assigned	Azure Active Directory	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2025-02-10
Azure AD PIM Role Assignment Activated	Azure Active Directory	Additional Cloud Roles	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2025-02-10
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	Security Account Manager	TTP	Azure Active Directory Privilege Escalation	2024-11-14
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	Security Account Manager	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-11-14
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2025-02-10
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2025-02-10
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	Cloud Accounts	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2024-11-14
Azure AD Service Principal Created	Azure Active Directory Add service principal	Cloud Account	TTP	Azure Active Directory Persistence, NOBELIUM Group	2024-11-14
Azure AD Service Principal Enumeration	Azure Active Directory MicrosoftGraphActivityLogs	Cloud Account Cloud Service Discovery	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2025-01-06
Azure AD Service Principal New Client Credentials	Azure Active Directory	Additional Cloud Credentials	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2025-02-10
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	Account Manipulation	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2024-11-14
Azure AD Service Principal Privilege Escalation	Azure Active Directory Add app role assignment to service principal	Additional Cloud Roles	TTP	Azure Active Directory Privilege Escalation	2025-02-10
Azure AD Successful Authentication From Different Ips	Azure Active Directory	Password Guessing Password Spraying	TTP	Azure Active Directory Account Takeover, Compromised User Account	2025-02-10
Azure AD Successful Single-Factor Authentication	Azure Active Directory	Cloud Accounts Cloud Accounts	TTP	Azure Active Directory Account Takeover	2025-02-10
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	Additional Cloud Roles	TTP	Azure Active Directory Persistence, NOBELIUM Group	2025-02-10
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	Password Spraying Credential Stuffing Cloud Accounts	Anomaly	Azure Active Directory Account Takeover	2025-02-10
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	Steal Application Access Token	TTP	Azure Active Directory Account Takeover	2024-11-14
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	Steal Application Access Token	TTP	Azure Active Directory Account Takeover	2024-11-14
Azure AD User Enabled And Password Reset	Azure Active Directory Enable account, Azure Active Directory Reset password (by admin), Azure Active Directory Update user	Account Manipulation	TTP	Azure Active Directory Persistence	2024-11-14
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	Account Manipulation	TTP	Azure Active Directory Persistence	2024-11-14
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	Cloud Account	TTP	Azure Active Directory Persistence	2025-02-10
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	Cloud Account	TTP	Azure Active Directory Persistence	2025-02-10
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	Cloud Accounts	TTP	Azure Active Directory Persistence	2025-02-10
Microsoft Intune Device Health Scripts	Azure Monitor Activity	Software Deployment Tools Cloud Services Indirect Command Execution Ingress Tool Transfer	Hunting	Azure Active Directory Account Takeover	2025-01-06
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	Software Deployment Tools Domain or Tenant Policy Modification Cloud Services Disable or Modify Tools Disable or Modify System Firewall	Hunting	Azure Active Directory Account Takeover	2025-01-07
Microsoft Intune Manual Device Management	Azure Monitor Activity	Cloud Services Software Deployment Tools System Shutdown/Reboot	Hunting	Azure Active Directory Account Takeover	2025-01-07
Microsoft Intune Mobile Apps	Azure Monitor Activity	Software Deployment Tools Cloud Services Indirect Command Execution Ingress Tool Transfer	Hunting	Azure Active Directory Account Takeover	2025-01-07