Rules Contributing to Microsoft Entra Unusual Account Creation Alert
The following rules are used to identify Microsoft Entra unusual account creation activity. Any one or more of these will trigger the Microsoft Entra Unusual Account Creation Alert. Details for each rule can be viewed by clicking the More Details link in the description.
Title |
Description |
||||||||
---|---|---|---|---|---|---|---|---|---|
Account Created and Deleted within a Close Timeframe |
Detects when an account was created and deleted in a short period of time. More details
Rule IDQuery{'selection': {'properties_message': ['Add user', 'Delete user'], 'Status': 'Success'}, 'condition': 'selection'} Log SourceStellar Cyber Microsoft Entra Events configured. Rule SourceSigmaHQ,6f583da0-3a90-4566-a4ed-83c09fe18bbf Author: Mark Morowczynski '@markmorow', MikeDuddington, '@dudders1', Tim Shelton Tactics, Techniques, and ProceduresReferencesSeverity75 Suppression Logic Based On
Additional Information
|