Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

8 rules found for "AlertIQ"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Change to Authentication Method

Change to authentication method could be an indicator of an attacker adding an auth method to the account so they can have continued access.

Azureauditlogs
TA0004 · Privilege EscalationTA0006 · Credential AccessT1556 · Modify Authentication ProcessTA0003 · Persistence+2
AlertIQSun Oct 10cloud
Detectionmediumtest

Account Lockout

Identifies user account which has been locked because the user tried to sign in too many times with an incorrect user ID or password.

Azuresigninlogs
TA0006 · Credential AccessT1110 · Brute Force
AlertIQSun Oct 10cloud
Detectionmediumtest

Login to Disabled Account

Detect failed attempts to sign in to disabled accounts.

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+1
AlertIQSun Oct 10cloud
Detectionmediumtest

Multifactor Authentication Denied

User has indicated they haven't instigated the MFA prompt and could indicate an attacker has the password for the account.

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+4
AlertIQThu Mar 24cloud
Detectionmediumtest

Multifactor Authentication Interrupted

Identifies user login with multifactor authentication failures, which might be an indication an attacker has the password for the account but can't pass the MFA challenge.

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+4
AlertIQSun Oct 10cloud
Detectionmediumtest

User Access Blocked by Azure Conditional Access

Detect access has been blocked by Conditional Access policies. The access policy does not allow token issuance which might be sights≈ of unauthorizeed login to valid accounts.

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0006 · Credential Access+3
AlertIQSun Oct 10cloud
Detectionhightest

Windows Defender Service Disabled - Registry

Detects when an attacker or tool disables the Windows Defender service (WinDefend) via the registry

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
Ján Trenčanský+3Mon Aug 01windows
Detectionhightest

Disable Windows Defender Functionalities Via Registry Keys

Detects when attackers or tools disable Windows Defender functionalities via the Windows registry

WindowsRegistry Set
TA0005 · Defense EvasionT1562.001 · Disable or Modify Tools
AlertIQ+4Mon Aug 01windows