Azure Detections

Name	Data Source	Technique	Type	Analytic Story	Date
Detect Distributed Password Spray Attempts	Azure Active Directory Sign-in activity	T1110.003	Hunting	Active Directory Password Spraying, Compromised User Account	2026-05-13
Microsoft Intune Device Health Scripts	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Denied MFA Requests For User	Azure Active Directory Sign-in activity	T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD New Federated Domain Added	Azure Active Directory Set domain authentication	T1484.002	TTP	Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Hellcat Ransomware	2026-05-13
Azure AD AzureHound UserAgent Detected	Azure Active Directory NonInteractiveUserSignInLogs, Azure Active Directory MicrosoftGraphActivityLogs	T1087.004 T1526	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2026-05-13
Azure AD External Guest User Invited	Azure Active Directory Invite external user	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune Mobile Apps	Azure Monitor Activity	T1021.007 T1072 T1105 T1202	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD OAuth Application Consent Granted By User	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Privileged Authentication Administrator Role Assigned	Azure Active Directory Add member to role	T1003.002	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Service Principal Authentication	Azure Active Directory Sign-in activity	T1078.004	TTP	Azure Active Directory Account Takeover, NOBELIUM Group	2026-05-13
Azure AD Global Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD High Number Of Failed Authentications From Ip	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, NOBELIUM Group, Compromised User Account	2026-05-13
Azure AD Concurrent Sessions From Different Ips	Azure Active Directory	T1185	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
Azure AD PIM Role Assigned	Azure Active Directory	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Tenant Wide Admin Consent Granted	Azure Active Directory Consent to application	T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Device Code Authentication	Azure Active Directory	T1528 T1566.002	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Service Principals Created by User	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD User Consent Denied for OAuth Application	Azure Active Directory Sign-in activity	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal Privilege Escalation	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation	2026-05-13
Microsoft Intune Bulk Wipe	Azure Monitor Activity	T1561.001	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Failed MFA Requests For User	Azure Active Directory Sign-in activity	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal Created	Azure Active Directory Add service principal	T1136.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Block User Consent For Risky Apps Disabled	Azure Active Directory Update authorization policy	T1685	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal Owner Added	Azure Active Directory Add owner to application	T1098	TTP	Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Azure Runbook Webhook Created	Azure Audit Create or Update an Azure Automation webhook	T1078.004	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune Manual Device Management	Azure Monitor Activity	T1021.007 T1072 T1529	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD PIM Role Assignment Activated	Azure Active Directory	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Multiple AppIDs and UserAgents Authentication Spike	Azure Active Directory Sign-in activity	T1078	Anomaly	Azure Active Directory Account Takeover	2026-05-13
Azure AD Multiple Service Principals Created by SP	Azure Active Directory Add service principal	T1136.003	Anomaly	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD New Custom Domain Added	Azure Active Directory Add unverified domain	T1484.002	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD Unusual Number of Failed Authentications From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
Azure Automation Account Created	Azure Audit Create or Update an Azure Automation account	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Azure AD FullAccessAsApp Permission Assigned	Azure Active Directory Update application	T1098.002 T1098.003	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Service Principal Enumeration	Azure Active Directory MicrosoftGraphActivityLogs	T1087.004 T1526	TTP	Azure Active Directory Privilege Escalation, Compromised User Account	2026-05-13
Azure AD Multi-Factor Authentication Disabled	Azure Active Directory Disable Strong Authentication	T1556.006 T1586.003	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters	2026-05-13
Azure AD Successful Single-Factor Authentication	Azure Active Directory	T1078.004 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Service Principal New Client Credentials	Azure Active Directory	T1098.001	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Azure AD Multiple Users Failing To Authenticate From Ip	Azure Active Directory	T1110.003 T1110.004 T1586.003	Anomaly	Azure Active Directory Account Takeover	2026-05-13
Azure AD Application Administrator Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation	2026-05-13
Azure AD Privileged Role Assigned	Azure Active Directory Add member to role	T1098.003	TTP	Storm-0501 Ransomware, Scattered Lapsus$ Hunters, Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD Privileged Graph API Permission Assigned	Azure Active Directory Update application	T1003.002	TTP	Azure Active Directory Persistence, NOBELIUM Group	2026-05-13
Azure AD New MFA Method Registered	Azure Active Directory Update user	T1098.005	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence	2026-05-13
Azure AD New MFA Method Registered For User	Azure Active Directory User registered security info	T1556.006	TTP	Azure Active Directory Account Takeover, Scattered Lapsus$ Hunters, Compromised User Account	2026-05-13
Azure AD Privileged Role Assigned to Service Principal	Azure Active Directory Add member to role	T1098.003	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Azure AD Multi-Source Failed Authentications Spike	Azure Active Directory	T1110.003 T1110.004 T1586.003	Hunting	Azure Active Directory Account Takeover, NOBELIUM Group	2026-05-13
Azure AD User ImmutableId Attribute Updated	Azure Active Directory Update user	T1098	TTP	Azure Active Directory Persistence, Hellcat Ransomware	2026-05-13
Azure AD User Consent Blocked for Risky Application	Azure Active Directory Consent to application	T1528	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD Admin Consent Bypassed by Service Principal	Azure Active Directory Add app role assignment to service principal	T1098.003	TTP	Azure Active Directory Privilege Escalation, NOBELIUM Group	2026-05-13
Azure Automation Runbook Created	Azure Audit Create or Update an Azure Automation Runbook	T1136.003	TTP	Azure Active Directory Persistence	2026-05-13
Microsoft Intune DeviceManagementConfigurationPolicies	Azure Monitor Activity	T1021.007 T1072 T1484 T1685 T1686	Hunting	Azure Active Directory Account Takeover	2026-05-13
Azure AD User Enabled And Password Reset	Azure Active Directory Reset password (by admin), Azure Active Directory Update user, Azure Active Directory Enable account	T1098	TTP	Scattered Lapsus$ Hunters, Azure Active Directory Persistence	2026-05-13
Azure AD Successful Authentication From Different Ips	Azure Active Directory	T1110.001 T1110.003	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13
Azure AD Authentication Failed During MFA Challenge	Azure Active Directory	T1078.004 T1586.003 T1621	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure Active Directory High Risk Sign-in	Azure Active Directory	T1110.003 T1586.003	TTP	Azure Active Directory Account Takeover	2026-05-13
Azure AD High Number Of Failed Authentications For User	Azure Active Directory	T1110.001	TTP	Azure Active Directory Account Takeover, Compromised User Account	2026-05-13