Sigma Rules
130 rules found
Changes to Device Registration Policy
Monitor and alert for changes to the device registration policy.
Guest Users Invited To Tenant By Non Approved Inviters
Detects guest users being invited to tenant by non-approved inviters
New Root Certificate Authority Added
Detects newly added root certificate authority to an AzureAD tenant to support certificate based authentication.
Users Added to Global or Device Admin Roles
Monitor and alert for users added to device admin roles.
Application AppID Uri Configuration Changes
Detects when a configuration change is made to an applications AppID URI.
Added Credentials to Existing Application
Detects when a new credential is added to an existing application. Any additional credentials added outside of expected processes could be a malicious actor using those credentials.
Delegated Permissions Granted For All Users
Detects when highly privileged delegated permissions are granted on behalf of all users
End User Consent
Detects when an end user consents to an application
End User Consent Blocked
Detects when end user consent is blocked due to risk-based consent.
Added Owner To Application
Detects when a new owner is added to an application. This gives that account privileges to make modifications and configuration changes to the application.
App Granted Microsoft Permissions
Detects when an application is granted delegated or app role permissions for Microsoft Graph, Exchange, Sharepoint, or Azure AD
App Granted Privileged Delegated Or App Permissions
Detects when administrator grants either application permissions (app roles) or highly privileged delegated permissions
App Assigned To Azure RBAC/Microsoft Entra Role
Detects when an app is assigned Azure AD roles, such as global administrator, or Azure RBAC roles, such as subscription owner.
Application URI Configuration Changes
Detects when a configuration change is made to an applications URI. URIs for domain names that no longer exist (dangling URIs), not using HTTPS, wildcards at the end of the domain, URIs that are no unique to that app, or URIs that point to domains you do not control should be investigated.
Windows LAPS Credential Dump From Entra ID
Detects when an account dumps the LAPS password from Entra ID.
Change to Authentication Method
Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.
Azure Domain Federation Settings Modified
Identifies when an user or application modified the federation settings on the domain.
User Added To Group With CA Policy Modification Access
Monitor and alert on group membership additions of groups that have CA policy modification access
User Removed From Group With CA Policy Modification Access
Monitor and alert on group membership removal of groups that have CA policy modification access
Guest User Invited By Non Approved Inviters
Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.
User State Changed From Guest To Member
Detects the change of user type from "Guest" to "Member" for potential elevation of privilege.
PIM Approvals And Deny Elevation
Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.
PIM Alert Setting Changes To Disabled
Detects when PIM alerts are set to disabled.
Changes To PIM Settings
Detects when changes are made to PIM roles
User Added To Privilege Role
Detects when a user is added to a privileged role.
Bulk Deletion Changes To Privileged Account Permissions
Detects when a user is removed from a privileged role. Bulk changes should be investigated.
Privileged Account Creation
Detects when a new admin is created.
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Temporary Access Pass Added To An Account
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated
User Risk and MFA Registration Policy Updated
Detects changes and updates to the user risk and MFA registration policy. Attackers can modified the policies to Bypass MFA, weaken security thresholds, facilitate further attacks, maintain persistence.
Multi Factor Authentication Disabled For User Account
Detects changes to the "StrongAuthenticationRequirement" value, where the state is set to "0" or "Disabled". Threat actors were seen disabling multi factor authentication for users in order to maintain or achieve access to the account. Also see in SIM Swap attacks.
Password Reset By User Account
Detect when a user has reset their password in Azure AD
Anomalous Token
Indicates that there are abnormal characteristics in the token such as an unusual token lifetime or a token that is played from an unfamiliar location.
Anomalous User Activity
Indicates that there are anomalous patterns of behavior like suspicious changes to the directory.
Activity From Anonymous IP Address
Identifies that users were active from an IP address that has been identified as an anonymous proxy IP address.
Anonymous IP Address
Indicates sign-ins from an anonymous IP address, for example, using an anonymous browser or VPN.
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Impossible Travel
Identifies user activities originating from geographically distant locations within a time period shorter than the time it takes to travel from the first location to the second.
Suspicious Inbox Forwarding Identity Protection
Indicates suspicious rules such as an inbox rule that forwards a copy of all emails to an external address
Suspicious Inbox Manipulation Rules
Detects suspicious rules that delete or move messages or folders are set on a user's inbox.
Azure AD Account Credential Leaked
Indicates that the user's valid credentials have been leaked.
Malicious IP Address Sign-In Failure Rate
Indicates sign-in from a malicious IP address based on high failure rates.
Malicious IP Address Sign-In Suspicious
Indicates sign-in from a malicious IP address known to be malicious at time of sign-in.
Sign-In From Malware Infected IP
Indicates sign-ins from IP addresses infected with malware that is known to actively communicate with a bot server.
New Country
Detects sign-ins from new countries. The detection considers past activity locations to determine new and infrequent locations.
Password Spray Activity
Indicates that a password spray attack has been successfully performed.
Primary Refresh Token Access Attempt
Indicates access attempt to the PRT resource which can be used to move laterally into an organization or perform credential theft
Suspicious Browser Activity
Indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser