Note
Access to this page requires authorization. You can try signing in or changing directories.
Access to this page requires authorization. You can try changing directories.
Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists
To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see View and manage alerts.
Microsoft Defender for Identity XDR alert categories
Defender for Identity security alerts are categorized by their corresponding MITRE ATT&CK tactics. This makes it easier to understand the suspected attack technique potentially in use when a Defender for Identity alert is triggered. This page contains information on each alert, to help with your investigation and remediation tasks. This guide contains general information about the conditions for triggering alerts. Note that anomaly-based alerts are only triggered when behavior significantly deviates from established baselines.
- Initial Access
- Execution
- Persistence
- Privilege Escalation
- Defense Evasion
- Credential Access
- Discovery
- Lateral Movement
- Collection
Initial Access alerts
This section describes alerts indicating that a malicious actor might be attempting to gain an initial foothold into your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Okta anonymous user accessDescription: Anonymous User access was detected. |
High | T1078 | xdr_OktaAnonymousUserAccess |
Password spray against OneLoginDescription: A suspicious IP address attempted to authenticate to OneLogin using multiple valid accounts. An attacker might be attempting to find valid user account credentials for later follow-on behavior. |
Medium | T1110.003 | xdr_OneLoginPasswordSpray |
Suspicious Okta account enumerationDescription: A suspicious IP address enumerated Okta accounts. An attacker might be attempting to perform discovery activities for later follow-on behavior. |
High | T1078.004 | xdr_SuspiciousOktaAccountEnumeration |
Suspicious OneLogin MFA fatigueDescription: A suspicious IP address sent several OneLogin multifactor authentication (MFA) challenge attempts for a user account. An attacker might have compromised the user's account credentials and is trying to flood and bypass the MFA mechanism. |
Medium | T1110.003 | xdr_OneLoginMfaFatigue |
Suspicious sign-in made to an admin accountDescription: An admin account sign-in was performed in a suspicious manner. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousAdminAccountSignIn |
Suspicious sign-in made using a malicious certificateDescription: A user signed in to the organization using a malicious certificate. This behavior might indicate that a user account was compromised and is being used for malicious activities, and that a malicious domain with AAD Internals certificate is registered in the organization. |
High | T1078.001 | xdr_SignInUsingMaliciousCertificate |
Suspicious sign-in to Microsoft Sentinel app made using Entra ID sync accountDescription: A Microsoft Entra ID Connect sync account signed in to a Microsoft Sentinel resource in an unusual manner. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
Low | T1078.001 | xdr_SuspiciousMicrosoftSentinelAccessByEntraIdSyncAccount |
Suspicious tool used by a Microsoft Entra Sync accountDescription: A suspicious authentication to a Microsoft Entra ID account typically used for syncing operations was detected. This behavior might indicate that a user account has been compromised and an attacker is using it to carry out malicious activities. |
High | T1078.004 | xdr_SuspiciousToolSyncAccountSignIn |
Sync account risky sign-in to an uncommon appDescription: A Microsoft Entra ID Connect sync account that signed in to a risky session performed unusual activities. This behavior might indicate that a user account was compromised and is being used for malicious activities. |
High | T1078.001 | xdr_RiskyEntraIDSyncAccount |
Execution alerts
This section describes alerts indicating that a malicious actor might be attempting to run malicious code in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious remote service installationDescription: A suspicious service installation was detected. This service was created in order to execute potentially malicious commands. An attacker might be using stolen credentials to leverage this attack. This might also indicate that a pass-the-hash attack was used. |
Medium | T1569.002 | xdr_SuspiciousRemoteServiceInstallation |
Persistence alerts
This section describes alerts indicating that a malicious actor might be attempting to maintain their foothold in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
OAuth app created a userDescription: A new user account was created by an OAuth application. An attacker might have compromised this application for persistence in the organization. |
Medium | T1136.003 | xdr_OAuthAppCreatedAUser |
Okta privileged API token createdDescription: {ActorAliasName} created an API token. If stolen, it can grant the attacker access with the user's permission. |
High | T1078.004 | xdr_OktaPrivilegedApiTokenCreated |
Okta privileged API token updatedDescription: {ActorAliasName} updated a Privileged API token Configuration to be more promiscuous. If stolen, it can grant the attacker access with the user's permission. |
High | T1078.004 | xdr_OktaPrivilegedApiTokenUpdated |
Suspicious MFA tampering activity by admin accountDescription: An administrator account performed multifactor authentication (MFA) tampering activity after a risky authentication. An attacker might have compromised an admin account to manipulate MFA settings for possible lateral movement activity. |
Low | T1556.006 | xdr_AdminAccountTakeover |
Suspicious account creationDescription: A new user account was created by a compromised OAuth app. Attackers might be preparing the new user account for later use as a backdoor to move laterally across the network or access data. This alert was triggered based on another Microsoft Cloud App Security alert related to the compromised OAuth app. |
Medium | T1136.003 | xdr_SuspiciousAccountCreation |
Suspicious addition of alternative phone numberDescription: A new alternative phone number was added for multiple users in suspicious way. An attacker might have done this to gain persistence in the organization. |
Medium | T1556.006 | xdr_SuspiciousMFAAddition |
Suspicious addition of emailDescription: New email was added for multiple users in suspicious way. An attacker might have done this to gain persistence in the organization. |
Medium | T1556.006 | xdr_SuspiciousMFAAddition |
Suspicious change to primary group IDDescription: A user's primary group ID was modified. An attacker might have compromised a user account and assigned a backdoor user with strong permissions in the domain for later use. |
Medium | T1098 | xdr_SuspiciousChangeInUserPrimaryGroupId |
Suspicious file modificationDescription: A user modified a file in a suspicious manner. |
Medium | T1546.001 | xdr_SuspiciousCloudFileModification |
Suspicious guest user invitationDescription: A new guest user was invited and accepted in a suspicious way. An attacker might have compromised a user account in the organization and is using it to add an unauthorized user for persistence purposes. |
Medium | T1136.003 | xdr_SuspiciousGuestUserInvitation |
Suspicious inbox ruleDescription: A user modified or created an inbox rule on this device in a suspicious manner. |
Medium | T1114.003 | xdr_SuspiciousInboxRule |
User was created and assigned to sensitive roleDescription: A new user was created and assigned to sensitive role. An attacker might have compromised the user account to perform persistence and lateral movement. |
Medium | T1136.003, T1098.003 | xdr_SuspiciousUserCreationAndSensitiveRoleAssignment |
Privilege Escalation alerts
This section describes alerts indicating that a malicious actor might be attempting to gain higher-level permissions in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious SPN was added to a userDescription: A suspicious service principal name (SPN) was added to a sensitive user. An attacker might be attempting to gain elevated access for lateral movement within the organization. |
High | T1098 | xdr_SuspiciousAdditionOfSpnToUser |
Suspicious certificate enrollment exploit abusing ESC15Description: A certificate was enrolled suspiciously. An attacker might be exploiting a vulnerability (known as ESC) to escalate privileges in the forest. |
High | T1068 | xdr_SuspectedCertificateEnrollmentESC15 |
Defense Evasion alerts
This section describes alerts indicating that a malicious actor might be attempting to evade detection in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Suspicious access denial to view primary group ID of an objectDescription: An access control list (ACL) denied access to view the primary group ID of an object. An attacker might have compromised a user account and is looking to hide the group of a backdoor user. |
Medium | T1564.002 | xdr_SuspiciousDenyAccessToPrimaryGroupId |
Suspicious account linkDescription: An account was linked through a cross tenant administrative action. The action was performed in a suspicious way that may indicate the account may be used in an attempt to bypass MFA. |
Medium | T1556 | xdr_SuspiciousAccountLink |
Credential Access alerts
This section describes alerts indicating that a malicious actor might be attempting to steal account names and passwords from your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
AS-REP roastingDescription: Multiple attempts to sign in without preauthentication were detected. This behavior might indicate an Authentication Server Response (AS-REP) roasting attack, which targets the Kerberos authentication protocol, specifically accounts that have turned off preauthentication. |
Medium | T1558.004 | xdr_AsrepRoastingAttack |
Honeytoken ActivityDescription: Honeytoken user attempted to sign in |
High | T1098 | xdr_HoneytokenSignInAttempt |
NEGOEX relay attackDescription: An attacker used NEGOEX to impersonate a server that a client wants to connect to so that the attacker can then relay the authentication process to any target. This allows the attacker to gain access to the target. NEGOEX is an authentication protocol designed to authenticate user accounts to Microsoft Entra joined devices. |
High | T1187, T1557.001 | xdr_NegoexRelayAttack |
Okta privileged role assigned to applicationDescription: {ActorAliasName} assigned {RoleDisplayName} role to application: {ApplicationDisplayName} |
High | T1003.006 | xdr_OktaPrivilegedRoleAssignedToApplication |
Possible AS-REP roasting attackDescription: A suspicious Kerberos authentication request was made to accounts that do not require preauthentication. An attacker might be performing an AS-REP roasting attack to steal passwords and gain further access into the network. |
Medium | T1558.004 | xdr_AsrepRoastingAttack |
Possible Golden SAML attackDescription: A privileged user account authenticated with characteristics that might be related to a Golden SAML attack. |
High | T1071, T1606.002 | xdr_PossibleGoldenSamlAttack |
Possible NetSync attackDescription: NetSync is a module in Mimikatz, a post-exploitation tool, that requests the password hash of a target device's password by pretending to be a domain controller. An attacker might be performing malicious activities inside the network using this feature to gain access to the organization's resources. |
High | T1003.006 | xdr_PossibleNetsyncAttack |
Possible account secret leakDescription: A failed attempt to sign in to a user account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The user account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possible golden ticket attackDescription: A suspicious Kerberos ticket granting service (TGS) request was observed. An attacker might be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. |
High | T1558, T1558.001 | xdr_PossibleGoldenTicketAttacks |
Possible golden ticket attack (CVE-2021-42287 exploit)Description: A suspicious Kerberos ticket-granting ticket (TGT) containing anomalous Kerberos Privilege Attribute Certificate (PAC) was observed. An attacker may be using stolen credentials of the KRBTGT account to attempt a golden ticket attack. |
High | T1558, T1558.001 | xdr_PossibleGoldenTicketAttack_SuspiciousPac |
Possible overpass-the-hash attackDescription: A possible overpass-the-hash attack was detected. In this type of attack, an attacker uses the NT hash of a user account or other Kerberos keys to obtain Kerberos tickets, which allows unauthorized access to network resources. |
High | T1003.006 | xdr_PossibleOverPassTheHash |
Possible service principal account secret leakDescription: A failed attempt to sign in to a service principal account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possibly compromised service principal account signed inDescription: A possibly compromised service principal account signed in. A credential stuffing attempt was successfully authenticated, indicating that the service principal account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Possibly compromised user account signed inDescription: A possibly compromised user account signed in. A credential stuffing attempt was successfully authenticated, indicating that the user account's credentials might have been leaked or are in the possession of an unauthorized party. |
Medium | T1078 | xdr_CredentialStuffingToolObserved |
Suspicious DMSA related activity detectedDescription: A suspicious DMSA related activity was detected. This may indicate a compromised managed account or an attempt to exploit a DMSA account. |
High | T1555 | xdr_SuspiciousDmsaAction |
Suspicious Golden gMSA related activityDescription: A suspicious read activity was made to sensitive group Managed Service Account (gMSA) objects, which could be associated with a threat actor trying to leverage the Golden gMSA attack. |
High | T1555 | xdr_SuspiciousGoldenGmsaActivity |
Suspicious Kerberos authentication (AP-REQ)Description: A suspicious Kerberos application request (AP-REQ) was detected. An attacker might be using stolen credentials of a service account to attempt a silver ticket attack. In this kind of attack, an attacker forges a service ticket (Ticket Granting Service or TGS) for a specific service within a network, which allows the attacker to access that service without needing to interact with the domain controller after the initial compromise. |
High | T1558, T1558.002 | xdr_SuspiciousKerberosApReq |
Suspicious Kerberos authentication (AS-REQ)Description: A suspicious Kerberos authentication request (AS-REQ) for a ticket-granting ticket (TGT) was observed. This anomalous TGT request is suspected to have been specially crafted by an attacker. The attacker might be using stolen credentials to leverage this attack. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_AsReq |
Suspicious Kerberos authentication (TGT request using TGS-REQ)Description: A suspicious Kerberos ticket-granting service request (TGS-REQ) involving the Service for User to Self (S4U2self) extension was observed. This anomalous TGS request is suspected to have been specially crafted by an attacker. |
Medium | T1550, T1558 | xdr_SusKerberosAuth_S4U2selfTgsReq |
Suspicious creation of ESXi groupDescription: A suspicious VMware ESXi group was created in the domain. This might indicate that an attacker is trying to get more permissions for later steps in an attack. |
High | T1098 | xdr_SuspiciousUserAdditionToEsxGroup |
Discovery alerts
This section describes alerts indicating that a malicious actor might be attempting to gather information about your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Okta sync service principal enumeratedDescription: A suspicious LDAP (Lightweight Directory Access Protocol) enumeration to find the Okta sync service account was detected. This behavior might indicate that a user account has been compromised and an attacker is using it to carry out malicious activities. |
High | T1087.002 | xdr_OktaSyncServicePrincipalEnumeration |
Reconnaissance related to sensitive LDAP attributeDescription: Reconnaissance activities related to sensitive Lightweight Directory Access Protocol (LDAP) attributes were detected on this device. An attacker might have compromised a user account and is looking for information for use in their next steps. |
Medium | T1087.002 | xdr_LdapSensitiveAttributeRecon |
Suspicious LDAP queryDescription: A suspicious Lightweight Directory Access Protocol (LDAP) query associated with a known attack tool was detected. An attacker might be performing reconnaissance for later steps. |
High | T1087.002 | xdr_SuspiciousLdapQuery |
Lateral Movement alerts
This section describes alerts indicating that a malicious actor might be attempting to move between resources or identities in your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Possible authentication silo bypassDescription: A possible attempt to bypass authentication silo policies and authenticate against a silo-protected service was detected on this device. |
High | T1550 | xdr_PossibleAuthenticationSiloBypass |
Possible takeover of a Microsoft Entra seamless SSO accountDescription: A Microsoft Entra seamless SSO (single sign-on) account object, AZUREADSSOACC, was modified suspiciously. An attacker might be moving laterally from the on-premises environment to the cloud. |
High | T1556 | xdr_SuspectedAzureSsoAccountTakeover |
Suspicious activity after password syncDescription: A user performed an uncommon action on an application after a recent password sync. An attacker might have compromised a user's account to perform malicious activities in the organization. |
Medium | T1021.007 | xdr_SuspiciousActivityAfterPasswordSync |
Collection alerts
This section describes alerts indicating that a malicious actor might be attempting to gather data of interest to their goal from your organization.
| Security alert name | Severity | MITRE Technique | Detector ID |
|---|---|---|---|
Possible Okta session theftDescription: A new connection using a possibly stolen Okta session cookie was initiated. An attacker might have stolen a session cookie and is now using it to perform a malicious action. |
High | T1539 | xdr_PossibleOktaSessionTheft |