Microsoft Sentinel Analytic Rules
cloudbrothers.infoAzure Sentinel RepoToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeToggle Dark/Light/Auto modeBack to homepage

CredentialAccess

Overview

Rule NameidRequired data connectors
API - Account Takeover25c86f99-0a91-4b7f-88f3-599a008e5ab842CrunchAPIProtection
API - JWT validationbbd163f4-1f56-434f-9c23-b06713c119c242CrunchAPIProtection
API - Password Crackingd951d64d-0ecd-4675-8c79-6c870d5f72ac42CrunchAPIProtection
API - Suspicious Login7bdc10d6-aa24-4ca9-9a93-802cd876135442CrunchAPIProtection
Alsid Active Directory attacks pathways9649e203-3cb7-47ff-89a9-42f2a5eefe31AlsidForAD
Alsid DCSyncd3c658bd-8da9-4372-82e4-aaffa922f428AlsidForAD
Alsid Golden Ticket21ab3f52-6d79-47e3-97f8-ad65f2cb29fbAlsidForAD
Alsid Indicators of Attack3caa67ef-8ed3-4ab5-baf2-3850d3667f3dAlsidForAD
Alsid Indicators of Exposures154fde9f-ae00-4422-a8da-ef00b11da3fcAlsidForAD
Alsid LSASS Memory3acf5617-7c41-4085-9a79-cc3a425ba83aAlsidForAD
Alsid Password Guessingba239935-42c2-472d-80ba-689186099ea1AlsidForAD
Alsid Password issues472b7cf4-bf1a-4061-b9ab-9fe4894e3c17AlsidForAD
Alsid Password Spraying9e20eb4e-cc0d-4349-a99d-cad756859dfbAlsidForAD
Alsid privileged accounts issuesa5fe9489-cf8b-47ae-a87e-8f3a13e4203eAlsidForAD
Alsid user accounts issuesfb9e0b51-8867-48d7-86f4-6e76f2176bf8AlsidForAD
Credential Dumping Tools - Service Installation4ebbb5c2-8802-11ec-a8a3-0242ac120002SecurityEvents
Credential Dumping Tools - File Artifacts32ffb19e-8ed8-40ed-87a0-1adb4746b7c4SecurityEvents
Powershell Empire Cmdlets Executed in Command Lineef88eb96-861c-43a0-ab16-f3835a97c928SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Password Exfiltration over SCIM application2e3c4ad5-8cb3-4b46-88ff-a88367ee7eaaAuthomize
Microsoft Entra ID Hybrid Health AD FS Suspicious Applicationd9938c3b-16f9-444d-bc22-ea9a9110e0fdAzureActivity
Rare subscription-level operations in Azure23de46ea-c425-4a77-b456-511ae4855d69AzureActivity
Mass secret retrieval from Azure Key Vault24f8c234-d1ff-40ec-8b73-96b17a3a9c1cAzureKeyVault
Azure Key Vault access TimeSeries anomaly0914adab-90b5-47a3-a79f-7cdcac843aa7AzureKeyVault
Azure DevOps PAT used with Browser5f0d80db-3415-4265-9d52-8466b7372e3a
Azure DevOps Variable Secret Not Secured4ca74dc0-8352-4ac5-893c-73571cc78331
Bitglass - Multiple failed logins7c570bfc-9f20-490e-80e8-b898c7ce4bdaBitglass
CiscoISE - Certificate has expired6107cba5-2974-4c22-8222-2a6f7bbea664CiscoISE
CiscoISE - Device PostureStatus changed to non-compliant548a2eda-d3eb-46cc-8d4b-1601551629e4CiscoISE
Multi-Factor Authentication Disabled for a User65c78944-930b-4cae-bd79-c3664ae30ba7AzureActiveDirectory
AWS
Corelight - Forced External Outbound SMB73f23aa2-5cc4-4507-940b-75c9092e9e01Corelight
Exposed Email Addressb25aae75-d333-4b77-a7c1-b24644dc1e1fCBSPollingIDAzureFunctions
Leaked Credentiala0a46e91-3f94-4ed4-ab70-ecd36ae0ead0CBSPollingIDAzureFunctions
Cynerio - IoT - Default password84e0ea1f-766d-4775-836a-c0c9cca05085CynerioSecurityEvents
Cynerio - IoT - Weak password65db1346-6435-4079-bbf4-9a7113c98054CynerioSecurityEvents
Dumping LSASS Process Into a Filea7b9df32-1367-402d-b385-882daf6e3020SecurityEvents
WDigest downgrade attackf6502545-ae3a-4232-a8b0-79d87e5c98d7SecurityEvents
Threats detected by Eset2d8a60aa-c15e-442e-9ce3-ee924889d2a6EsetSMC
Expired access credentials being used in Azure433c3b0a-7278-4d74-b137-963ac6f9a7e7AzureActiveDirectory
Password Sprayinge00f72ab-fea1-4a31-9ecc-eea6397cd38dMicrosoftThreatProtection
Flare Leaked Credentials9cb7c337-f170-4af6-b0e8-b6b7552d762dFlare
Flare Infected Device9cb7c337-f176-4af6-b0e8-b6b7552d762dFlare
GitLab - Brute-force Attempts2238d13a-cf05-4973-a83f-d12a25dbb153Syslog
GitLab - Local Auth - No MFAe0b45487-5c79-482d-8ac0-695de8c031afSyslog
GitLab - Repository visibility to Public8b291c3d-90ba-4ebf-af2c-0283192d430eSyslog
GitLab - SSO - Sign-Ins Burst57b1634b-531d-4eab-a456-8b855887428fAzureActiveDirectory
Google DNS - Exchange online autodiscover abuse424c2aca-5367-4247-917a-5d0f7035e40eGCPDNSDataConnector
GWorkspace - Possible brute force attack8f6cd9a4-5e57-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
GWorkspace - Two-step authentification disabled for a userc8cc02d0-5da6-11ec-bf63-0242ac130002GoogleWorkspaceReportsAPI
Highly Sensitive Password Accessedb39e6482-ab7e-4817-813d-ec910b64b26eLastPass
[Deprecated] - Known Diamond Sleet related maldoc hash3174a9ec-d0ad-4152-8307-94ed04fa450aCiscoASA
PaloAltoNetworks
SecurityEvents
[Deprecated] - Emerald Sleet domains included in DCU takedown70b12a3b-4896-42cb-910c-5ffaf8d7987dDNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Possible Forest Blizzard attempted credential harvesting - Oct 202068271db2-cbe9-4009-b1d3-bb3b5fe5713cOffice365
[Deprecated] - Known Granite Typhoon domains and hashes26a3b261-b997-4374-94ea-6c37f67f4f39DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
SecurityEvents
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
[Deprecated] - Known Ruby Sleet domains and hashesc87fb346-ea3a-4c64-ba92-3dd383e0f0b5SquidProxy
DNS
AzureMonitor(VMInsights)
CiscoASA
PaloAltoNetworks
AzureFirewall
Zscaler
InfobloxNIOS
GCPDNSDataConnector
NXLogDnsLogs
CiscoUmbrellaDataConnector
Corelight
DopplePaymer Procdump1be34fb9-f81b-47ae-84fb-465e6686d76cMicrosoftThreatProtection
LSASS Credential Dumping with Procdumpc332b840-61e4-462e-a201-0e2d69bad45dMicrosoftThreatProtection
Detect Potential Kerberoast Activities12134de5-361b-427c-a1a0-d43f40a593c4MicrosoftThreatProtection
LaZagne Credential Theft7d0d3050-8dac-4b83-bfae-902f7dc0c21cMicrosoftThreatProtection
Modified domain federation trust settings95dc4ae3-e0f2-48bd-b996-cdd22b90f9afAzureActiveDirectory
Password spray attack against ADFSSignInLogs5533fe80-905e-49d5-889a-df27d2c3976dAzureActiveDirectory
Brute Force Attack against GitHub Account97ad74c4-fdd9-4a3f-b6bf-5e28f4f71e06AzureActiveDirectory
Brute force attack against a Cloud PC3fbc20a4-04c4-464e-8fcb-6667f53e4987AzureActiveDirectory
Credential added after admin consented to Application707494a5-8e44-486b-90f8-155d1797a8ebAzureActiveDirectory
Distributed Password cracking attempts in Microsoft Entra IDbfb1c90f-8006-4325-98be-c7fffbc254d6AzureActiveDirectory
Explicit MFA Denya22740ec-fc1e-4c91-8de6-c29c6450ad00AzureActiveDirectory
MicrosoftThreatProtection
Failed login attempts to Azure Portal223db5c1-1bf8-47d8-8806-bed401b356a4AzureActiveDirectory
Suspicious application consent similar to O365 Attack Toolkitf948a32f-226c-4116-bddd-d95e91d97eb9AzureActiveDirectory
Suspicious application consent similar to PwnAuth39198934-62a0-4781-8416-a81265c03fd6AzureActiveDirectory
MFA Spamming followed by Successful logina8cc6d5c-4e7e-4b48-b4ac-d8a116c62a8bAzureActiveDirectory
NRT Modified domain federation trust settings8540c842-5bbc-4a24-9fb2-a836c0e55a51AzureActiveDirectory
Password spray attack against Microsoft Entra ID Seamless SSOfb7ca1c9-e14c-40a3-856e-28f3c14ea1baAzureActiveDirectory
GitHub Signin Burst from Multiple Locationsd3980830-dd9d-40a5-911f-76b44dfdce16AzureActiveDirectory
Brute force attack against Azure Portal28b42356-45af-40a6-a0b4-a554cdfd5d8aAzureActiveDirectory
Password spray attack against Microsoft Entra ID application48607a29-a26a-4abf-8078-a06dbdd174a4AzureActiveDirectory
Successful logon from IP and failure from a different IP02ef8d7e-fc3a-4d86-a457-650fa571d8d2AzureActiveDirectory
BehaviorAnalytics
Suspicious Entra ID Joined Device Update3a3c6835-0086-40ca-b033-a93bf26d878fAzureActiveDirectory
Suspicious application consent for offline access3533f74c-9207-4047-96e2-0eb9383be587AzureActiveDirectory
Suspicious Service Principal creation activity6852d9da-8015-4b95-8ecf-d9572ee0395dAzureActiveDirectory
Mimecast Audit - Logon Authentication Failed9c5dcd76-9f6d-42a3-b984-314b52678f20MimecastAuditAPI
Cross-Cloud Password Spray detection1f40ed57-f54b-462f-906a-ac3a89cc90d4AWS
AzureActiveDirectory
BehaviorAnalytics
MicrosoftThreatProtection
Cross-Cloud Suspicious Compute resource creation in GCP5c847e47-0a07-4c01-ab99-5817ad6cb11eGCPAuditLogsDefinition
AWSS3
Cross-Cloud Suspicious user activity observed in GCP Envourment58e306fe-1c49-4b8f-9b0e-15f25e8f0cd7GCPAuditLogsDefinition
AzureActiveDirectoryIdentityProtection
MicrosoftThreatProtection
MicrosoftDefenderAdvancedThreatProtection
MicrosoftCloudAppSecurity
Cross-Cloud Unauthorized Credential Access Detection From AWS RDS Login122fbc6a-57ab-4aa7-b9a9-51ac4970cac1AzureActiveDirectory
AWSS3
Successful AWS Console Login from IP Address Observed Conducting Password Spray188db479-d50a-4a9c-a041-644bae347d1fAWS
MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
MicrosoftThreatProtection
Suspicious AWS console logins by credential access alertsb51fe620-62ad-4ed2-9d40-5c97c0a8231fOfficeATP
AWS
MicrosoftDefenderAdvancedThreatProtection
AzureActiveDirectoryIdentityProtection
BehaviorAnalytics
MicrosoftThreatProtection
Unauthorized user access across AWS and Azure60f31001-018a-42bf-8045-a92e1f361b7bAzureActiveDirectory
AWSS3
Remote Desktop Network Brute force (ASIM Network Session schema)b7dc801e-1e79-48bb-91e8-2229a8e6d40b
Failed Logins from Unknown or Invalid User884be6e7-e568-418e-9c12-89229865ffdeOktaSSO
OktaSSOv2
MFA Fatigue (OKTA)c2697b81-7fe9-4f57-ba1d-de46c6f91f9cOktaSSO
OktaSSOv2
Potential Password Spray Attacke27dd7e5-4367-4c40-a2b7-fcd7e7a8a508OktaSSO
OktaSSOv2
Palo Alto Prisma Cloud - Multiple failed logins for user4f688252-bf9b-4136-87bf-d540b5be1050PaloAltoPrismaCloud
Ping Federate - Abnormal password reset attemptse45a7334-2cb4-4690-8156-f02cac73d584PingFederate
PingFederateAma
PulseConnectSecure - Potential Brute Force Attempts34663177-8abf-4db1-b0a4-5683ab273f44PulseConnectSecure
PulseConnectSecure - Large Number of Distinct Failed User Logins1fa1528e-f746-4794-8a41-14827f4cb798PulseConnectSecure
Red Canary Threat Detection6d263abb-6445-45cc-93e9-c593d3d77b89RedCanaryDataConnector
Brute force attack against user credentials5a6ce089-e756-40fb-b022-c8e8864a973aSalesforceServiceCloud
Potential Password Spray Attack64d16e62-1a17-4a35-9ea7-2b9fe6f07118SalesforceServiceCloud
Possible AiTM Phishing Attempt Against Microsoft Entra ID16daa67c-b137-48dc-8eb7-76598a44791aAzureActiveDirectory
Zscaler
Semperis DSP Kerberos krbtgt account with old password9ff3b26b-7636-412e-ac46-072b084b94cbSemperisDSP
Azure secure score block legacy authenticationC27BB559-28C5-4924-A7DA-3BF04CD02C8FSenservaPro
Azure secure score MFA registration V28EB2B20A-BF64-4DCC-9D98-1AD559502C00SenservaPro
Azure secure score PW age policy new88C9A5E0-31EC-490B-82E5-A286D9B99A67SenservaPro
Sentinel One - User viewed agent’s passphrase51999097-60f4-42c0-bee8-fa28160e5583SentinelOne
SlackAudit - Multiple failed logins for user93a91c37-032c-4380-847c-957c001957adSlackAuditAPI
SpyCloud Enterprise Breach Detectioncb410ad5-6e9d-4278-b963-1e3af205d680
SpyCloud Enterprise Malware Detection7ba50f9e-2f94-462b-a54b-8642b8c041f5
ClientDeniedAccessa9956d3a-07a9-44a6-a279-081a85020caeSymantecVIP
Excessive Failed Authentication from Invalid Inputsc775a46b-21b1-46d7-afa6-37e3e577a27bSymantecVIP
Failed logon attempts in authprive7ec9fa6-e7f7-41ed-a34b-b956837a3ee6Syslog
SyslogAma
SSH - Potential Brute Forcee1ce0eab-10d1-4aae-863f-9a383345ba88Syslog
SyslogAma
Tenable.ad Active Directory attacks pathways4639bb0a-ca12-4a57-8e53-f61c2c6034d6Tenable.ad
Tenable.ad DCSync0c8d4de3-adb9-4161-a863-aa1e2c8bd959Tenable.ad
Tenable.ad Golden Ticketd1abda25-f88a-429a-8163-582533cd0defTenable.ad
Tenable.ad Indicators of Attack6405329a-8d20-48f3-aabc-e1b8a745568eTenable.ad
Tenable.ad Indicators of Exposures55de1072-e93f-40f9-a14d-f7356d217cf6Tenable.ad
Tenable.ad LSASS Memory6f7fa5f9-7d21-42c1-bc52-ac355b87c6cfTenable.ad
Tenable.ad Password Guessing44d74560-0cd1-4e73-a8f5-d16eeeba219eTenable.ad
Tenable.ad Password issues2518b57f-1a8b-44ea-935d-7dc1cfe4f918Tenable.ad
Tenable.ad Password Spraying29d350db-0ac0-4f4c-92ff-dac0f6335612Tenable.ad
Tenable.ad privileged accounts issues353d6474-d795-4086-a179-ba1db4d8bbcbTenable.ad
Tenable.ad user accounts issues4f8ed6f3-8815-437d-9462-f0def9dc70d6Tenable.ad
Vectra AI Detect - Suspected Compromised Account321f9dbd-64b7-4541-81dc-08cf7732ccb0AIVectraDetect
AIVectraDetectAma
Vectra Account’s Behaviorsce54b5d3-4c31-4eaf-a73e-31412270b6abAIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Detections with High Severity39e48890-2c02-487e-aa9e-3ba494061798AIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Suspected Compromised Host60eb6cf0-3fa1-44c1-b1fe-220fbee23d63AIVectraDetect
AIVectraDetectAma
Vectra Host’s Behaviors33e3b6da-2660-4cd7-9032-11be76db88d2AIVectraDetect
AIVectraDetectAma
Vectra AI Detect - Suspicious Behaviors by Category6cb75f65-231f-46c4-a0b3-50ff21ee6ed3AIVectraDetect
AIVectraDetectAma
Alarming number of anomalies generated in NetBackup2e0efcd4-56d2-41df-9098-d6898a58c62b
Multiple failed attempts of NetBackup logind39f0c47-2e85-49b9-a686-388c2eb7062c
Identify instances where a single source is observed using multiple user agents (ASIM Web Session)813ccf3b-0321-4622-b0bc-63518fd14454
Detect potential file enumeration activity (ASIM Web Session)b3731ce1-1f04-47c4-95c2-9827408c4375
Excessive Windows Logon Failures2391ce61-8c8d-41ac-9723-d945b2e90720SecurityEvents
WindowsSecurityEvents
SecurityEvent - Multiple authentication failures followed by a successcf3ede88-a429-493b-9108-3e46d3c741f7SecurityEvents
WindowsSecurityEvents
Non Domain Controller Active Directory Replicationb9d2eebc-5dcb-4888-8165-900db44443abSecurityEvents
WindowsSecurityEvents
Zero Networks Segment - New API Token created603a6b18-b54a-43b7-bb61-d2b0b47d224aZeroNetworksSegmentAuditFunction
ZeroNetworksSegmentAuditNativePoller
Brute force attack against user credentials (Uses Authentication Normalization)a6c435a2-b1a0-466d-b730-9f8af69262e8
Potential Password Spray Attack (Uses Authentication Normalization)6a2e2ff4-5568-475e-bef2-b95f12b9367b
Dev-0228 File Path Hashes November 2021 (ASIM Version)29a29e5d-354e-4f5e-8321-8b39d25047bf
Excessive number of HTTP authentication failures from a source (ASIM Web Session schema)a1bddaf8-982b-4089-ba9e-6590dfcf80eaSquidProxy
Zscaler
Trust Monitor Event8dcf7238-a7d0-4cfd-8d0c-b230e3cd9182
IP with multiple failed Microsoft Entra ID logins successfully logs in to Palo Alto VPNba144bf8-75b8-406f-9420-ed74397f9479AzureActiveDirectory
PaloAltoNetworks
Failed AzureAD logons but success logon to AWS Console643c2025-9604-47c5-833f-7b4b9378a1f5AzureActiveDirectory
AWS
Failed AzureAD logons but success logon to host8ee967a2-a645-4832-85f4-72b635bcb3a6AzureActiveDirectory
SecurityEvents
Syslog
WindowsSecurityEvents
WindowsForwardedEvents
Failed AWS Console logons but success logon to AzureAD910124df-913c-47e3-a7cd-29e1643fa55eAzureActiveDirectory
AWS
Dev-0228 File Path Hashes November 20213b443f22-9be9-4c35-ac70-a94757748439MicrosoftDefenderAdvancedThreatProtection
MicrosoftThreatProtection
Europium - Hash and IP IOCs - September 20229d8b5a18-b7db-4c23-84a6-95febaf7e1e4DNS
AzureMonitor(VMInsights)
F5
CiscoASA
PaloAltoNetworks
Fortinet
CheckPoint
CEF
MicrosoftThreatProtection
Office365
AzureFirewall
WindowsFirewall
Failed host logons but success logon to AzureAD1ce5e766-26ab-4616-b7c8-3b33ae321e80AzureActiveDirectory
SecurityEvents
Syslog
WindowsSecurityEvents
WindowsForwardedEvents
Multiple Password Reset by user0b9ae89d-8cad-461c-808f-0494f70ad5c4AzureActiveDirectory
SecurityEvents
Syslog
Office365
WindowsSecurityEvents
WindowsForwardedEvents
Azure VM Run Command operation executed during suspicious login window11bda520-a965-4654-9a45-d09f372f71aaAzureActivity
BehaviorAnalytics
AD FS Abnormal EKU object identifier attributecfc1ae62-db63-4a3e-b88b-dc04030c2257SecurityEvents
Failed logon attempts by valid accounts within 10 mins0777f138-e5d8-4eab-bec1-e11ddfbc2be2SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
Potential Kerberoasting1572e66b-20a7-4012-9ec4-77ec4b101bc8SecurityEvents
WindowsSecurityEvents
WindowsForwardedEvents
New country signIn with correct password7808c05a-3afd-4d13-998a-a59e2297693fAzureActiveDirectory
High count of failed attempts from same client IP19e01883-15d8-4eb6-a7a5-3276cd668388AzureMonitor(IIS)
High count of failed logons by a user884c4957-70ea-4f57-80b9-1bca3890315bAzureMonitor(IIS)
Zoom E2E Encryption Disablede4779bdc-397a-4b71-be28-59e6a1e1d16b
External User Access Enabled8e267e91-6bda-4b3c-bf68-9f5cbdd103a3
Suspicious link sharing pattern1218175f-c534-421c-8070-5dcaabf28067