Detectionhightest

Azure AD Account Credential Leaked

Indicates that the user's valid credentials have been leaked.

Convert In Phoenix Studio

Open this Sigma rule in the converter with the YAML preloaded and ready for backend selection.

Mark Morowczynski, Gloria LeeCreated Sun Sep 0319128e5e-4743-48dc-bd97-52e5775af817cloud

Log Source

Azureriskdetection

ProductAzure← raw: azure

Serviceriskdetection← raw: riskdetection

Detection Logic

detection:
    selection:
        riskEventType: 'leakedCredentials'
    condition: selection

False Positives

A rare hash collision.

References

MITRE ATT&CK

Tactics

Techniques

Rule Metadata

Rule ID

19128e5e-4743-48dc-bd97-52e5775af817

Status

test

Level

high

Type

Detection

Created

Sun Sep 03

Author

Path

rules/cloud/azure/identity_protection/azure_identity_protection_leaked_credentials.yml

Raw Tags

attack.t1589attack.reconnaissance