Rules Contributing to Microsoft Entra Changes to Privileged Account Alert
The following rules are used to identify suspicious Microsoft Entra changes to privileged account. Any one or more of these will trigger the Microsoft Entra Changes to Privileged Account Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Password Reset By User Account |
Detect when a user has reset their password in Microsoft Entra ID More details
Rule IDQuery{'selection': {'Category': 'UserManagement', 'Result': 'Success', 'ActivityDisplayName|contains': 'Password reset'}, 'filter': {'initiatedBy_user_userPrincipalName': ''}, 'condition': 'selection and not filter'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,340ee172-4b67-4fb4-832f-f961bdc1f3aa Author: YochanaHenderson, '@Yochana-H' Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|
||||||||
Temporary Access Pass Added To An Account |
Detects when a temporary access pass (TAP) is added to an account. TAPs added to priv accounts should be investigated More details
Rule IDQuery{'selection': {'ResultReason': 'Admin registered temporary access pass method for user', 'properties_message': 'Admin registered security info'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,fa84aaf5-8142-43cd-9ec2-78cfebf878ce Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H' Tactics, Techniques, and ProceduresReferences
N/A
Severity75 Suppression Logic Based On
Additional Information
|
||||||||
Privileged Account Creation |
Detects when a new admin is created. More details
Rule IDQuery{'selection': {'Result': 'Success', 'properties_message|contains|all': ['Add user', 'Add member to role']}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,f7b5b004-dece-46e4-a4a5-f6fd0e1c6947 Author: Mark Morowczynski '@markmorow', Yochana Henderson, '@Yochana-H', Tim Shelton Tactics, Techniques, and ProceduresReferences
N/A
Severity50 Suppression Logic Based On
Additional Information
|