Managed Sentinel intends to build and share with the community an extensive list of use-cases with full details such as threat indicators, severity level, MITRE ATT&CK tactics, log sources used to provide the information and situations when they may be a false positive. We are also including the recommended actions for remediating or investigating the security event.
| Alert ID | Description |
|---|---|
| MS-A001 | Access by the same user to a system from multiple sources |
| MS-A002 | Anomalous Azure AD apps based on authentication location |
| MS-A003 | Anomalous sign-in location by user account and authenticating application |
| MS-A004 | Monitor and alert on activity for specific SharePoint file or folder |
| MS-A005 | Admin authentication failure detected on firewall - Palo Alto |
| MS-A006 | Azure application(s) added |
| MS-A007 | Azure AD signins from new locations |
| MS-A008 | Sharepoint site permission modifications |
| MS-A009 | AD account with don't expire password |
| MS-A010 | FTP/SFTP from Internal hosts to foreign countries |
| MS-A011 | Office 365 Anonymous SharePoint Link used |
| MS-A012 | Changes made to an AWS IAM policy |
| MS-A013 | CnC - Command and Control Interaction (Threat Intelligence) |
| MS-A014 | Common deployed resources in Azure |
| MS-A015 | Creation and modification of privileged account attributes |
| MS-A016 | Creation of an anomalous number of resources in Azure |
| MS-A017 | MCAS Detect Leaked Credentials |
| MS-A018 | MCAS Malware Detected |
| MS-A019 | Network switch failed authentication |
| MS-A020 | Network switch login failure |
| MS-A022 | MFA disabled for a user - Azure AD |
| MS-A023 | DNS commonly abused TLDs - Top Level Domains |
| MS-A024 | DNS Domain anomalous lookup increase |
| MS-A025 | DNS Domains linked to WannaCry ransomware campaign (Threat Intelligence) |
| MS-A026 | DNS Full Name anomalous lookup increase (Outlier) |
| MS-A027 | DNS high NXDomain count (Outlier) |
| MS-A028 | DNS high reverse DNS count (Outlier) |
| MS-A029 | Brute force attack against Azure Portal |
| MS-A030 | Excessive outbound DNS queries |
| MS-A031 | Excessive inbound firewall allows |
| MS-A032 | Excessive Inbound Firewall Denies |
| MS-A033 | Excessive number of Windows Account lockouts |
| MS-A034 | Excessive Outbound Firewall Allows |
| MS-A035 | Excessive Outbound Firewall Denies |
| MS-A036 | Internal hosts using unsanctioned DNS servers |
| MS-A037 | Failed login attempts to Azure Portal |
| MS-A038 | Missing Windows security and critical updates |
| MS-A039 | Network Scan detected |
| MS-A040 | Firewall configuration change detected |
| MS-A041 | Granting elevated permissions to an Azure account |
| MS-A042 | Excessive outbound traffic (data transferred out from internal network) |
| MS-A044 | High bandwidth usage with streaming data |
| MS-A045 | High Number of Connections on specific opened ports |
| MS-A046 | Outbound traffic to known bad IPs (Managed Sentinel Threat Intelligence) |
| MS-A047 | Outbound traffic to known bad IPs (Managed Sentinel Threat Intel) - Cisco ASA |
| MS-A048 | Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones) |
| MS-A051 | Abnormal activity for a high profile user in O365 |
| MS-A054 | High severity IPS Signatures from sources originating from internal network |
| MS-A055 | Internal hosts matching 3 or more distinct IPS signatures within an hour |
| MS-A056 | Login attempts using Legacy Authentication (Azure) |
| MS-A057 | Long DNS Query |
| MS-A060 | Remote management access to internal Windows servers via VPN |
| MS-A129 | Users added to privileged domain groups |
| MS-A119 | Windows Audit Log Cleared |
| MS-A082 | Previously disabled accounts becoming active |
| MS-A074 | Peer-to-peer (P2P) traffic detected in perimeter firewall |
| MS-A091 | Group recently created was added to a privileged built-in group |
| MS-A111 | Outbound traffic to known bad IPs (Microsoft Security Graph) |
| MS-A067 | Multiple users forwarding Office 365 mail to same destination |
| MS-A070 | A new service was installed and started on a critical Windows server |
| MS-A126 | Windows system time has been changed on a critical server |
| MS-A062 | Multiple failed login attempts within 10 minutes |
| MS-A065 | Multiple Internal assets connecting to same malicious destinations within a predefined timeframe (Threat Intelligence) |
| MS-A089 | Windows privilege account(s) password changed on critical servers |
| MS-A101 | Suspicious high privilege account login failure on Windows systems |
| MS-A072 | Non owner Office 365 mailbox login activity |
| MS-A112 | Blocked outbound traffic to blacklisted IPs or domains (Threat Intelligence) |
| MS-A138 | Sharepoint downloads from previously unseen IP address |
| MS-A109 | Tracking Privileged Account Rare Activity |
| MS-A122 | Windows Admin group modification |
| MS-A123 | Exchange Audit Log Disabled |
| MS-A124 | Multiple Login failures for multiple accounts within a predefined time interval on Windows servers |
| MS-A105 | Sustained connection(s) from an internal host for more than x hours through firewall |
| MS-A069 | New Office 365 admin activity detected |
| MS-A081 | Powershell or non-browser mailbox login activity in Office 365 |
| MS-A093 | Sharepoint downloads from devices associated with previously unseen user agents |
| MS-A500 | APT Babyshark Lookup |
| MS-A501 | APT 29 Thinktanks Lookup |
| MS-A502 | APT Bear Activity GTR19 Lookup |
| MS-A503 | APT Tropic Trooper Lookup |
| MS-A504 | APT DragonFly Lookup |
| MS-A505 | APT CloudHopper Lookup |
| MS-A506 | APT Elise Lookup |
| MS-A507 | APT EquationGroup DLL Uload Lookup |
| MS-A508 | APT Hurricane Panda Lookup |
| MS-A509 | APT Judgement Panda Lookup |
| MS-A510 | APT Sofacy Zebrocy Lookup |
| MS-A215 | IIS pages generating errors (Status 500s) |
| MS-A511 | APT TA17-293 Lookup |
| MS-A512 | APT ZxShell Lookup |
| MS-A513 | APT 5 Manganese Lookup |
| MS-A121 | Add + Delete account from a privileged group within a short timeframe |
| MS-A125 | Windows security audit log is full |
| MS-A150 | Internal systems using a large number of protocols |
| MS-A200 | Silent log source monitoring - Heartbeat |
| MS-A142 | User account created and deleted within x mins |
| MS-A061 | Process execution frequency anomaly |
| MS-A143 | Potential Kerberoasting |
| MS-A144 | Malware detected in the local recycle bin |
| MS-A110 | Malware detected in a Office 365 repository |
| MS-A152 | Azure Security Center Threat Alert |
| MS-A133 | Rare and potentially high risk Office 365 operations |
| MS-A134 | Office 365 policy tampering |
| MS-A153 | Azure Security Center Recommendations Alert |
| MS-A147 | Local Windows user account creation |
| MS-A083 | Multiple successful VPN logins for different users from same IP address |
| MS-A127 | Successful VPN connections from different source IP addresses within specific time interval |
| MS-A139 | Mail forwarding enabled to an external email address |
| MS-A148 | Successful overpass the hash attempt |
| MS-A149 | Firewall external average attack detection rate increase |
| MS-A117 | Web shell script detection on a website |
| MS-A131 | Notification on emails sent outside of organization containing specific keywords in Subject line |
| MS-A086 | Identifies when failed logon attempts are 6 or higher during a 10 minute period |
| MS-A203 | Office 365 connections from malicious IP addresses |
| MS-A077 | Office 365 Anonymous SharePoint Link Created |
| MS-A044 | Missing Linux critical and security updates |
| MS-A013 | Changes made to AWS CloudTrail logs |
| MS-A075 | Office 365 inactive user accounts |
| MS-A095 | A malicious IP address accessing an Office 365 resource |
| MS-A204 | Azure Security Center - Antimalware Activity |
| MS-A205 | Accounts generating excessive Azure SignIn logs failures |
| MS-A206 | Microsoft Cloud App Security alert |
| MS-A073 | Multiple Password Resets by a user across multiple datasources |
| MS-A120 | Office 365 Mailbox Added or Removed |
| MS-A085 | Silent OfficeActivity Workload |
| MS-A216 | IIS pages generating Page Not Found errors (404) |
| MS-A087 | Anomalous number of denial messages in CommonSecurityLog |
| MS-A202 | Silent log source monitoring - Windows Security |
| MS-A201 | Silent log source monitoring - CommonSecurityLog |
| MS-A066 | Azure activity from malicious IPs |
| MS-A140 | Previously blocked Azure AD accounts becoming active |
| MS-A107 | Login to AWS Management Console without MFA |
| MS-A114 | Connections to unsanctioned SMTP servers |
| MS-A207 | Internal hosts using POP3 or IMAP email clients (IpTables FW) |
| MS-A242 | Internal hosts querying large number of DNS servers |
| MS-A241 | VPN connections from IP addresses matching Firegen Threat Intelligence feed |
| MS-A231 | Connections to malicious IPs from internal hosts |
| MS-A209 | Access to phishing and peer-to-peer URLs |
| MS-A079 | Potential brute force attack against an IIS Web Server |
| MS-A225 | Squid proxy events for ToR proxies |
| MS-A234 | Network sniffing applications detected |
| MS-A208 | Internal hosts using POP3 or IMAP email clients |
| MS-A154 | COVID-19 IP address IOC detected - CommonSecurityLog |
| MS-A146 | COVID-19 IP address IOC detected - SigninLogs |
| MS-A155 | COVID-19 IP address IOC detected - BIND DNS |
| MS-A157 | COVID 19 IP address IOC detected - iptables |
| MS-A137 | Azure AD sign-in attempts from disabled accounts |
| MS-A151 | Admin authentication failure detected on firewall - Cisco ASA |
| MS-A104 | Anomalous allow connections from internal hosts |
| MS-A159 | Admin authentication failure detected on firewall - Fortinet |
| MS-A160 | Potential rogue access points - Fortinet |
| MS-A161 | Redirected DNS requests - Fortinet |
| MS-A162 | SSL VPN login failures - Fortinet |
| MS-A230 | Cisco Umbrella - Connections to malicious domains |
| MS-A236 | Access to potentially malicious URLs |
| MS-A128 | NAS Login Failures |
| MS-A158 | MFA disabled for a user - AWS CloudTrail |
| MS-A226 | Squid proxy events related to mining pools |
| MS-A235 | Missing Security and Critical Updates (non-OS) |
| MS-A212 | Office 365 activities from IP listed in the ThreatIntelligenceIndicator table |
| MS-A078 | Azure entities triggering more than 1 distinct type of alert |
| MS-A222 | MITRE Execution Tactic Processes Detected |
| MS-A084 | Microsoft Azure Identity Protection alert |
| MS-A156 | Microsoft Azure Identity Protection - Suspicious activities with successful logins |
| MS-A068 | Mass secret retrieval from Azure Key Vault observed by a single user |
| MS-A080 | Silent Office Activity |
| MS-A096 | Unknown LogstashOthers_CL entries |
| MS-A097 | Anomalous increase in Azure Sentinel log ingestion costs |
| MS-A098 | Microsoft ATA alert triggered |
| MS-A099 | Authenticated Windows IIS connections matching Microsoft Threat Intelligence |
| MS-A115 | IP addresses with open ports attacked from Internet |
| MS-A118 | This alert identifies top 10 users by MCAS threat score. |
| MS-A145 | High count of connections by client IP on many ports |
| MS-A163 | High severity IPS Signatures from sources originating from internal network |
| MS-A164 | External Teams users from anomalous organizations |
| MS-A165 | Connections blocked by Kemp from internal hosts. |
| MS-A166 | Anomalous number of events generated by Kemp Load Balancer |
| MS-A167 | DNS queries for domain used by the Telegraph chat app - Squid |
| MS-A168 | Roles added/removed in Azure AD |
| MS-A169 | Suspicious RDP connections. |
| MS-A171 | Potential C&C traffic detected in URL request. |
| MS-A173 | Google G-Suite Admin Activities |
| MS-A175 | Password Spray Attack - Linux |
| MS-A177 | Excessive RDP Authentication Failures |
| MS-A179 | Potentially malicious downloads detected in URL request - SonicWall |
| MS-A170 | COVID 19 IP address IOC detected |
| MS-A172 | Azure Security Center Alert |
| MS-A174 | Failed Duo MFA Authentications |
| MS-A176 | Password Spraying to SonicWall Admin CLI |
| MS-A178 | Audit-Traffic Log Cleared - SonicWall |
| MS-A180 | Internal hosts match 3 or more IPS Signatures in 24 hours - SonicWall |
| MS-A182 | Excessive SonicWall Admin Password Failures from CLI - SonicWall |
| MS-A183 | Internal Hosts Using POP3 or IMAP Email Clients - SonicWall |
| MS-A184 | Firewall/IPS/VPN Configuration Change Detected - SonicWall |
| MS-A185 | Outbound traffic to known bad IPs (Managed Sentinel Threat Intel) - SonicWall |
| MS-A186 | Outbound traffic to known bad IPs (Microsoft Security Graph) - SonicWall |
| MS-A191 | Successful logon from IP and failure from a different IP |
| MS-A192 | Distributed Password cracking attempts in Azure AD |
| MS-A193 | Attempt to bypass conditional access rule in Azure AD |
| MS-A194 | Sign-ins from IPs that attempt sign-ins to disabled Azure accounts |
| MS-A195 | Multiple Password Reset by user |
| MS-A196 | Suspicious granting of permissions to an Azure AD account |
| MS-A197 | Suspicious number of resource creation or deployment activities |
| MS-A198 | Rare subscription-level operations in Azure |
| MS-A199 | Suspicious Azure Resource deployment |
| MS-A210 | Unusual number of log entries in CommonSecurityLog |
| MS-A211 | Microsoft Defender ATP Alert |
| MS-A213 | Multiple ATP low priority alerts detected |
| MS-A221 | Carbon Black Storage Hit Events |
| MS-A223 | Carbon Black Query Hit Events |
| MS-A224 | Carbon Black Ingress Hit Events |
| MS-A227 | Internal hosts generating firewall denials |
| MS-A228 | IP addresses with open ports attacked from Internet |
| MS-A229 | Consented Azure applications |
| MS-A232 | Users created by unauthorized administrators |
| MS-A233 | Azure SignInLogs activities from IP listed in the ThreatIntelligenceIndicator table |
| MS-A237 | Radius authentications from the same user from multiple IP addresses |
| MS-A238 | Internal systems exposing a large number of protocols to Internet |
| MS-A240 | Azure Security Center - Endpoint Protection Threat Detected |
| MS-A243 | RADIUS access reject on wireless client device |
| MS-A245 | Azure Network Security Groups Blocked Flows |
| MS-A250 | COVID 19 IP address IOC detected - SonicWall |
| MS-A251 | Potential C&C traffic detected in URL request - SonicWall |
| MS-A252 | Internal hosts generating firewall denials - SonicWall |
| MS-A253 | IP addresses with open ports attacked from Internet - SonicWall |
| MS-A254 | Traffic to malicious URLs detected - SonicWall |
| MS-A255 | Internal systems exposing a large number of protocols to Internet - SonicWall |
| MS-A256 | VPN connections from IP addresses matching Firegen Threat Intelligence feed - SonicWall |
| MS-A257 | Traffic to commonly abused TLDs - SonicWall |
| MS-A259 | Excessive SSL VPN login failures - SonicWall |
| MS-A261 | Outbound traffic to known bad IPs (Microsoft Security Graph - Cisco ASA) |
| MS-A263 | Successful VPN connections from same user from multiple IP addresses - SonicWall |
| MS-A265 | Traffic to ToR Proxies - SonicWall |
| MS-A267 | Potential beaconing detected - SonicWall |
| MS-A300 | MITRE - Console History |