Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Identity alerts can appear in the Microsoft Defender portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products.
To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see View and manage alerts.
Microsoft Defender for Identity XDR alert categories
Defender for Identity security alerts are categorized by their corresponding MITRE ATT&CK tactics. This makes it easier to understand the suspected attack technique potentially in use when a Defender for Identity alert is triggered. This page contains information on each alert, to help with your investigation and remediation tasks. This guide contains general information about the conditions for triggering alerts. Note that anomaly-based alerts are only triggered when behavior significantly deviates from established baselines.
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
Initial Access alerts
This section describes alerts indicating that a malicious actor might be attempting to gain an initial foothold into your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Okta anonymous user accessDescription: Anonymous User access was detected. |
High | T1078 | xdr_OktaAnonymousUserAccess |
Password spray against OneLoginDescription: A suspicious IP address attempted to authenticate to OneLogin using multiple valid accounts. An attacker might be attempting to find valid user account credentials for later follow-on behavior. |
Medium | T1110.003 | xdr_OneLoginPasswordSpray |
Suspicious Okta account enumerationDescription: A suspicious IP address enumerated Okta accounts. An attacker might be attempting to perform discovery activities for later follow-on behavior. |
High | T1078.004 | xdr_SuspiciousOktaAccountEnumeration |
Suspicious OneLogin MFA fatigueDescription: A suspicious IP address sent several OneLogin multifactor authentication (MFA) challenge attempts for a user account. An attacker might have compromised the user's account credentials and is trying to flood and bypass the MFA mechanism. |
Medium | T1110.003 | xdr_OneLoginMfaFatigue |
Suspicious sign-in made to an admin accountDescription: An admin account sign-in was performed in a suspicious manner. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousAdminAccountSignIn |
Suspicious sign-in made using a malicious certificateDescription: A user signed in to the organization using a malicious certificate. This behavior might indicate that a user account was compromised and is being used for malicious activities, and that a malicious ___domain with AAD Internals certificate is registered in the organization. |
High | T1078.001 | xdr_SignInUsingMaliciousCertificate |
Suspicious sign-in to Microsoft Sentinel app made using Entra ID sync accountDescription: A Microsoft Entra ID Connect sync account signed in to a Microsoft Sentinel resource in an unusual manner. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousMicrosoftSentinelAccessByEntraIdSyncAccount |
Suspicious tool used by a Microsoft Entra Sync accountDescription: A suspicious authentication to a Microsoft Entra ID account typically used for syncing operations was detected. This behavior might indicate that a user account has been compromised and an attacker is using it to carry out malicious activities. |
High | T1078.004 | xdr_SuspiciousToolSyncAccountSignIn |
Sync account risky sign-in to an uncommon appDescription: A Microsoft Entra ID Connect sync account that signed in to a risky session performed unusual activities. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
High | T1078.001 | xdr_RiskyEntraIDSyncAccount |
Execution alerts
This section describes alerts indicating that a malicious actor might be attempting to run malicious code in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious remote service installationDescription: A suspicious service installation was detected. This service was created in order to execute potentially malicious commands. An attacker might be using stolen credentials to leverage this attack. This might also indicate that a pass-the-hash attack was used. |
Medium | T1569.002 | xdr_SuspiciousRemoteServiceInstallation |
Persistence alerts
This section describes alerts indicating that a malicious actor might be attempting to maintain their foothold in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
OAuth app created a userDescription: A new user account was created by an OAuth application. An attacker might have compromised this application for persistence in the organization. |
Medium | T1136.003 | xdr_OAuthAppCreatedAUser |
Okta privileged API token createdDescription: {ActorAliasName} created an API token. If stolen, it can grant the attacker access with the user's permission. |
High | T1078.004 | xdr_OktaPrivilegedApiTokenCreated |
Okta privileged API token updatedDescription: {ActorAliasName} updated a Privileged API token Configuration to be more promiscuous. If stolen, it can grant the attacker access with the user's permission. |
High | T1078.004 | xdr_OktaPrivilegedApiTokenUpdated |
Suspicious MFA tampering activity by admin accountDescription: An administrator account performed multifactor authentication (MFA) tampering activity after a risky authentication. An attacker might have compromised an admin account to manipulate MFA settings for possible lateral movement activity. |
Low | T1556.006 | xdr_AdminAccountTakeover |
Suspicious account creationDescription: A new user account was created by a compromised OAuth app. Attackers might be preparing the new user account for later use as a backdoor to move laterally across the network or access data. This alert was triggered based on another Microsoft Cloud App Security alert related to the compromised OAuth app. |
Medium | T1136.003 | xdr_SuspiciousAccountCreation |
Suspicious addition of alternative phone numberDescription: A new alternative phone number was added for multiple users in suspicious way. An attacker might have done this to gain persistence in the organization. |
Medium | T1556.006 | xdr_SuspiciousMFAAddition |
Suspicious addition of emailDescription: New email was added for multiple users in suspicious way. An attacker might have done this to gain persistence in the organization. |
Medium | T1556.006 | xdr_SuspiciousMFAAddition |
Suspicious change to primary group IDDescription: A user's primary group ID was modified. An attacker might have compromised a user account and assigned a backdoor user with strong permissions in the ___domain for later use. |
Medium | T1098 | xdr_SuspiciousChangeInUserPrimaryGroupId |
Suspicious file modificationDescription: A user modified a file in a suspicious manner. |
Medium | T1546.001 | xdr_SuspiciousCloudFileModification |
Suspicious guest user invitationDescription: A new guest user was invited and accepted in a suspicious way. An attacker might have compromised a user account in the organization and is using it to add an unauthorized user for persistence purposes. |
Medium | T1136.003 | xdr_SuspiciousGuestUserInvitation |
Suspicious inbox ruleDescription: A user modified or created an inbox rule on this device in a suspicious manner. |
Medium | T1114.003 | xdr_SuspiciousInboxRule |
User was created and assigned to sensitive roleDescription: A new user was created and assigned to sensitive role. An attacker might have compromised the user account to perform persistence and lateral movement. |
Medium | T1136.003, T1098.003 | xdr_SuspiciousUserCreationAndSensitiveRoleAssignment |
Privilege Escalation alerts
This section describes alerts indicating that a malicious actor might be attempting to gain higher-level permissions in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious SPN was added to a userDescription: A suspicious service principal name (SPN) was added to a sensitive user. An attacker might be attempting to gain elevated access for lateral movement within the organization. |
High | T1098 | xdr_SuspiciousAdditionOfSpnToUser |
Suspicious certificate enrollment exploit abusing ESC15Description: A certificate was enrolled suspiciously. An attacker might be exploiting a vulnerability (known as ESC) to escalate privileges in the forest. |
High | T1068 | xdr_SuspectedCertificateEnrollmentESC15 |
Defense Evasion alerts
This section describes alerts indicating that a malicious actor might be attempting to evade detection in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious access denial to view primary group ID of an objectDescription: An access control list (ACL) denied access to view the primary group ID of an object. An attacker might have compromised a user account and is looking to hide the group of a backdoor user. |
Medium | T1564.002 | xdr_SuspiciousDenyAccessToPrimaryGroupId |
Suspicious account linkDescription: An account was linked through a cross tenant administrative action. The action was performed in a suspicious way that may indicate the account may be used in an attempt to bypass MFA. |
Medium | T1556 | xdr_SuspiciousAccountLink |
Credential Access alerts
This section describes alerts indicating that a malicious actor might be attempting to steal account names and passwords from your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
AS-REP roastingDescription: Multiple attempts to sign in without preauthentication were detected. This behavior might indicate an Authentication Server Response (AS-REP) roasting attack, which targets the Kerberos authentication protocol, specifically accounts that have turned off preauthentication. |
Medium | T1558.004 | xdr_AsrepRoastingAttack |
Honeytoken ActivityDescription: Honeytoken user attempted to sign in |
High | T1098 | xdr_HoneytokenSignInAttempt |
NEGOEX relay attackDescription: An attacker used NEGOEX to impersonate a server that a client wants to connect to so that the attacker can then relay the authentication process to any target. This allows the attacker to gain access to the target. NEGOEX is an authentication protocol designed to authenticate user accounts to Microsoft Entra joined devices. |
High | T1187, T1557.001 | xdr_NegoexRelayAttack |
Okta privileged role assigned to applicationDescription: {ActorAliasName} assigned {RoleDisplayName} role to application: {ApplicationDisplayName} |
High | T1003.006 | xdr_OktaPrivilegedRoleAssignedToApplication |
Possible AS-REP roasting attackDescription: A suspicious Kerberos authentication request was made to accounts that do not require preauthentication. An attacker might be performing an AS-REP roasting attack to steal passwords and gain further access into the network. |
Medium | T1558.004 | xdr_AsrepRoastingAttack |
Possible Golden SAML attackDescription: A privileged user account authenticated with characteristics that might be related to a Golden SAML attack. |
High | T1071, T1606.002 | xdr_PossibleGoldenSamlAttack |
Possible NetSync attackDescription: NetSync is a module in Mimikatz, a post-exploitation tool, that requests the password hash of a target device's password by pretending to be a ___domain controller. An attacker might be performing malicious activities inside the network using this feature to gain access to the organization's resources. |
High | T1003.006 | xdr_PossibleNetsyncAttack |
Possible account secret leakDescription: A failed attempt to sign in to a user account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The user account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possible golden ticket attackDescription: A suspicious Kerberos ticket granting service (TGS) request was observed. An attacker might be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. |
High | T1558, T1558.001 | xdr_PossibleGoldenTicketAttacks |
Possible golden ticket attack (CVE-2021-42287 exploit)Description: A suspicious Kerberos ticket-granting ticket (TGT) containing anomalous Kerberos Privilege Attribute Certificate (PAC) was observed. An attacker may be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. |
High | T1558, T1558.001 | xdr_PossibleGoldenTicketAttack_SuspiciousPac |
Possible overpass-the-hash attackDescription: A possible overpass-the-hash attack was detected. In this type of attack, an attacker uses the NT hash of a user account or other Kerberos keys to obtain Kerberos tickets, which allows unauthorized access to network resources. |
High | T1003.006 | xdr_PossibleOverPassTheHash |
Possible service principal account secret leakDescription: A failed attempt to sign in to a service principal account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possibly compromised service principal account signed inDescription: A possibly compromised service principal account signed in. A credential stuffing attempt was successfully authenticated, indicating that the service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possibly compromised user account signed inDescription: A possibly compromised user account signed in. A credential stuffing attempt was successfully authenticated, indicating that the user account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Suspicious DMSA related activity detectedDescription: A suspicious DMSA related activity was detected. This may indicate a compromised managed account or an attempt to exploit a DMSA account. |
High | T1555 | xdr_SuspiciousDmsaAction |
Suspicious Golden gMSA related activityDescription: A suspicious read activity was made to sensitive group Managed Service Account (gMSA) objects, which could be associated with a threat actor trying to leverage the Golden gMSA attack. |
High | T1555 | xdr_SuspiciousGoldenGmsaActivity |
Suspicious Kerberos authentication (AP-REQ)Description: A suspicious Kerberos application request (AP-REQ) was detected. An attacker might be using stolen credentials of a service account to attempt a silver ticket attack. In this kind of attack, an attacker forges a service ticket (Ticket Granting Service or TGS) for a specific service within a network, which allows the attacker to access that service without needing to interact with the ___domain controller after the initial compromise. |
High | T1558, T1558.002 | xdr_SuspiciousKerberosApReq |
Suspicious Kerberos authentication (AS-REQ)Description: A suspicious Kerberos authentication request (AS-REQ) for a ticket-granting ticket (TGT) was observed. This anomalous TGT request is suspected to have been specially crafted by an attacker. The attacker might be using stolen credentials to leverage this attack. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_AsReq |
Suspicious Kerberos authentication (TGT request using TGS-REQ)Description: A suspicious Kerberos ticket-granting service request (TGS-REQ) involving the Service for User to Self (S4U2self) extension was observed. This anomalous TGS request is suspected to have been specially crafted by an attacker. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_S4U2selfTgsReq |
Suspicious creation of ESXi groupDescription: A suspicious VMware ESXi group was created in the ___domain. This might indicate that an attacker is trying to get more permissions for later steps in an attack. |
High | T1098 | xdr_SuspiciousUserAdditionToEsxGroup |
Suspected Brute Force attack (LDAP)Previous name: Brute force attack using LDAP simple bind. Description: In a brute-force attack, the attacker attempts to authenticate with many different passwords for different accounts until a correct password is found for at least one account. Once found, an attacker can log in using that account. In this detection, an alert is triggered when Defender for Identity detects a massive number of simple bind authentications. This alert detects brute force attacks performed either horizontally with a small set of passwords across many users, vertically with a large set of passwords on just a few users, or any combination of the two options. The alert is based on authentication events from sensors running on ___domain controller and AD FS / AD CS servers. Learning period: None Suggested steps for prevention: - Enforce complex and long passwords in the organization. Doing so provides the necessary first level of security against future brute-force attacks. - Prevent future usage of LDAP clear text protocol in your organization. |
Medium | TA0006 T1110 T1110.001 T1110.003 |
xdr_LdapBindBruteforce |
Discovery alerts
This section describes alerts indicating that a malicious actor might be attempting to gather information about your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Okta sync service principal enumeratedDescription: A suspicious LDAP (Lightweight Directory Access Protocol) enumeration to find the Okta sync service account was detected. This behavior might indicate that a user account has been compromised and an attacker is using it to carry out malicious activities. |
High | T1087.002 | xdr_OktaSyncServicePrincipalEnumeration |
Reconnaissance related to sensitive LDAP attributeDescription: Reconnaissance activities related to sensitive Lightweight Directory Access Protocol (LDAP) attributes were detected on this device. An attacker might have compromised a user account and is looking for information for use in their next steps. |
Medium | T1087.002 | xdr_LdapSensitiveAttributeRecon |
Suspicious LDAP queryDescription: A suspicious Lightweight Directory Access Protocol (LDAP) query associated with a known attack tool was detected. An attacker might be performing reconnaissance for later steps. |
High | T1087.002 | xdr_SuspiciousLdapQuery |
Active Directory attributes Reconnaissance using LDAPDescription: Active Directory LDAP reconnaissance is used by attackers to gain critical information about the ___domain environment. This information can help attackers map the ___domain structure, as well as identify privileged accounts for use in later steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP) is one of the most popular methods used for both legitimate and malicious purposes to query Active Directory. Learning period: None |
Medium | TA0007 T1087 T1049 T1087.002 |
xdr_LdapSensitiveAttributeReconnaissanceSecurityAlert |
User and IP address reconnaissance (SMB)Previous name: Reconnaissance using SMB Session Enumeration. Description: Enumeration using Server Message Block (SMB) protocol enables attackers to get information about where users recently logged on. Once attackers have this information, they can move laterally in the network to get to a specific sensitive account. In this detection, an alert is triggered when an SMB session enumeration is performed against a ___domain controller. Learning period: None |
Medium | TA0007 T1087 T1046 T1018 |
xdr_SmbSessionEnumeration |
Account Enumeration reconnaissance in AD FSPrevious name: Reconnaissance using account enumeration. Description: In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the ___domain. In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on ___domain controller and AD FS / AD CS servers. Learning period: None Suggested steps for prevention: Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration. |
Medium | TA0007 T1087 T1087.002 |
xdr_AccountEnumerationHintSecurityAlertAdfs |
Account Enumeration reconnaissance in KerberosPrevious name: Reconnaissance using account enumeration. Description: In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the ___domain. The attacker makes Kerberos requests using these names to try to find a valid username in the ___domain. When a guess successfully determines a username, the attacker gets the Preauthentication required instead of Security principal unknown Kerberos error. In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on ___domain controller and AD FS / AD CS servers. Learning period: None Suggested steps for prevention: Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration. |
Medium | TA0007 T1087 T1087.002 |
xdr_AccountEnumerationHintSecurityAlertKerberos |
Account Enumeration reconnaissance in NTLMPrevious name: Reconnaissance using account enumeration. Description: In account enumeration reconnaissance, an attacker uses a dictionary with thousands of user names, or tools such as KrbGuess in an attempt to guess user names in the ___domain. The attacker makes NTLM authentication requests using the dictionary of names to try to find a valid username in the ___domain. If a guess successfully determines a username, the attacker gets the WrongPassword (0xc000006a) instead of NoSuchUser (0xc0000064) NTLM error. In this alert detection, Defender for Identity detects where the account enumeration attack came from, the total number of guess attempts, and how many attempts were matched. If there are too many unknown users, Defender for Identity detects it as a suspicious activity. The alert is based on authentication events from sensors running on ___domain controller and AD FS / AD CS servers. Learning period: None Suggested steps for prevention: Enforce Complex and long passwords in the organization. Complex and long passwords provide the necessary first level of security against brute-force attacks. Brute force attacks are typically the next step in the cyber-attack kill chain following enumeration. |
Medium | TA0007 T1087 T1087.002 |
xdr_AccountEnumerationHintSecurityAlertNtlm |
Lateral Movement alerts
This section describes alerts indicating that a malicious actor might be attempting to move between resources or identities in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Possible authentication silo bypassDescription: A possible attempt to bypass authentication silo policies and authenticate against a silo-protected service was detected on this device. |
High | T1550 | xdr_PossibleAuthenticationSiloBypass |
Possible takeover of a Microsoft Entra seamless SSO accountDescription: A Microsoft Entra seamless SSO (single sign-on) account object, AZUREADSSOACC, was modified suspiciously. An attacker might be moving laterally from the on-premises environment to the cloud. |
High | T1556 | xdr_SuspectedAzureSsoAccountTakeover |
Suspicious activity after password syncDescription: A user performed an uncommon action on an application after a recent password sync. An attacker might have compromised a user's account to perform malicious activities in the organization. |
Medium | T1021.007 | xdr_SuspiciousActivityAfterPasswordSync |
Suspicious network connection over Encrypting File System Remote ProtocolDescription: Adversaries may exploit the Encrypting File System Remote Protocol to improperly perform privileged file operations. In this attack, the attacker can escalate privileges in an Active Directory network by coercing authentication from machine accounts and relaying to the certificate service. This attack allows an attacker to take over an Active Directory (AD) Domain by exploiting a flaw in the Encrypting File System Remote (EFSRPC) Protocol and chaining it with a flaw in Active Directory Certificate Services. Learning period: None |
High or Medium | TA0008 T1210 |
xdr_SuspiciousConnectionOverEFDRPC |
Collection alerts
This section describes alerts indicating that a malicious actor might be attempting to gather data of interest to their goal from your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Possible Okta session theftDescription: A new connection using a possibly stolen Okta session cookie was initiated. An attacker might have stolen a session cookie and is now using it to perform a malicious action. |
High | T1539 | xdr_PossibleOktaSessionTheft |