Phoenix
Sigma IntelligenceBeta
Rule Library

Sigma Rules

12 rules found for "Yochana Henderson"

3,707Total
3,116Detection
451Emerging
137Hunting
Detectionmediumtest

Guest User Invited By Non Approved Inviters

Detects when a user that doesn't have permissions to invite a guest user attempts to invite one.

Azureauditlogs
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0003 · PersistenceTA0005 · Defense Evasion+1
Mark Morowczynski+1Wed Aug 10cloud
Detectionhightest

PIM Approvals And Deny Elevation

Detects when a PIM elevation is approved or denied. Outside of normal operations should be investigated.

Azureauditlogs
TA0003 · PersistenceTA0001 · Initial AccessTA0005 · Defense EvasionTA0004 · Privilege Escalation+1
Mark Morowczynski+1Tue Aug 09cloud
Detectionhightest

PIM Alert Setting Changes To Disabled

Detects when PIM alerts are set to disabled.

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation+1
Mark Morowczynski+1Tue Aug 09cloud
Detectionhightest

Changes To PIM Settings

Detects when changes are made to PIM roles

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionTA0004 · Privilege EscalationTA0003 · Persistence+1
Mark Morowczynski+1Tue Aug 09cloud
Detectionhightest

User Added To Privilege Role

Detects when a user is added to a privileged role.

Azureauditlogs
TA0003 · PersistenceTA0001 · Initial AccessTA0004 · Privilege EscalationTA0005 · Defense Evasion+1
Mark Morowczynski+1Sat Aug 06cloud
Detectionhightest

Bulk Deletion Changes To Privileged Account Permissions

Detects when a user is removed from a privileged role. Bulk changes should be investigated.

Azureauditlogs
TA0004 · Privilege EscalationTA0003 · PersistenceT1098 · Account Manipulation
Mark Morowczynski+1Fri Aug 05cloud
Detectionmediumtest

Privileged Account Creation

Detects when a new admin is created.

Azureauditlogs
TA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · PersistenceTA0004 · Privilege Escalation+1
Mark Morowczynski+2Thu Aug 11cloud
Detectionhightest

Temporary Access Pass Added To An Account

Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated

Azureauditlogs
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+1
Mark Morowczynski+1Wed Aug 10cloud
Detectionmediumtest

Password Reset By User Account

Detect when a user has reset their password in Azure AD

Azureauditlogs
TA0004 · Privilege EscalationTA0001 · Initial AccessTA0005 · Defense EvasionTA0003 · Persistence+2
YochanaHendersonWed Aug 03cloud
Detectionmediumtest

Account Disabled or Blocked for Sign in Attempts

Detects when an account is disabled or blocked for sign in but tried to log in

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+1
Yochana HendersonFri Jun 17cloud
Detectionhightest

Sign-in Failure Due to Conditional Access Requirements Not Met

Define a baseline threshold for failed sign-ins due to Conditional Access failures

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Yochana HendersonWed Jun 01cloud
Detectionhightest

Use of Legacy Authentication Protocols

Alert on when legacy authentication has been used on an account

Azuresigninlogs
TA0004 · Privilege EscalationTA0003 · PersistenceTA0005 · Defense EvasionTA0001 · Initial Access+3
Yochana HendersonFri Jun 17cloud