Microsoft Defender for Identity Security Alerts

0
(0)

 Note

The Microsoft Defender for Identity features explained on this page are also accessible using the new portal.

Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

  1. Reconnaissance phase alerts
  2. Compromised credential phase alerts
  3. Lateral movement phase alerts
  4. Domain dominance phase alerts
  5. Exfiltration phase alerts

To learn more about the structure and common components of all Defender for Identity security alerts, see Understanding security alerts.

Security alert name mapping and unique external IDs

The following table lists the mapping between alert names, their corresponding unique external IDs, and their Microsoft Defender for Cloud Apps alert IDs. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

External IDs

Security alert name Unique external ID Severity MITRE ATT&CK Matrix™
Account enumeration reconnaissance 2003 Medium Discovery
Active Directory attributes reconnaissance (LDAP) 2210 Medium Discovery
Data exfiltration over SMB 2030 High Exfiltration,
Lateral movement,
Command and control
Exchange Server Remote Code Execution (CVE-2021-26855) 2414 High Lateral movement
Honeytoken activity 2014 Medium Credential access,
Discovery
Malicious request of Data Protection API master key 2020 High Credential access
Network mapping reconnaissance (DNS) 2007 Medium Discovery
Remote code execution attempt 2019 Medium Execution,
Persistence,
Privilege escalation,
Defense evasion,
Lateral movement
Remote code execution over DNS 2036 Medium Privilege escalation,
Lateral movement
Security principal reconnaissance (LDAP) 2038 Medium Credential access
Suspected AS-REP Roasting attack 2412 High Credential access
Suspected Brute Force attack (Kerberos, NTLM) 2023 Medium Credential access
Suspected Brute Force attack (LDAP) 2004 Medium Credential access
Suspected Brute Force attack (SMB) 2033 Medium Lateral movement
Suspected DCShadow attack (domain controller promotion) 2028 High Defense evasion
Suspected DCShadow attack (domain controller replication request) 2029 High Defense evasion
Suspected DCSync attack (replication of directory services) 2006 High Persistence,
Credential access
Suspected exploitation attempt on Windows Print Spooler service 2415 High or Medium Lateral movement
Suspected Golden Ticket usage (encryption downgrade) 2009 Medium Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (forged authorization data) 2013 High Privilege escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (nonexistent account) 2027 High Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (ticket anomaly) 2032 High Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (ticket anomaly using RBCD) 2040 High Persistence
Suspected Golden Ticket usage (time anomaly) 2022 High Privilege Escalation,
Lateral movement,
Persistence
Suspected identity theft (pass-the-hash) 2017 High Lateral movement
Suspected identity theft (pass-the-ticket) 2018 High or Medium Lateral movement
Suspected Kerberos SPN exposure (external ID 2410) 2410 High Credential access
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) 2411 High Privilege Escalation
Suspicious network connection over Encrypting File System Remote Protocol 2416 High or Medium Lateral movement
Suspected NTLM authentication tampering 2039 Medium Privilege escalation,
Lateral movement
Suspected NTLM relay attack 2037 Medium or Low if observed using signed NTLM v2 protocol Privilege escalation,
Lateral movement
Suspected overpass-the-hash attack (Kerberos) 2002 Medium Lateral movement
Suspected rogue Kerberos certificate usage 2047 High Lateral movement
Suspected Skeleton Key attack (encryption downgrade) 2010 Medium Lateral movement,
Persistence
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) – (preview) 2406 High Lateral movement
Suspected use of Metasploit hacking framework 2034 Medium Lateral movement
Suspected WannaCry ransomware attack 2035 Medium Lateral movement
Suspicious additions to sensitive groups 2024 Medium Credential access,
Persistence
Suspicious communication over DNS 2031 Medium Exfiltration
Suspicious service creation 2026 Medium Execution,
Persistence,
Privilege Escalation,
Defense evasion,
Lateral movement
Suspicious VPN connection 2025 Medium Persistence,
Defense evasion
User and Group membership reconnaissance (SAMR) 2021 Medium Discovery
User and IP address reconnaissance (SMB) 2012 Medium Discovery

 Note

To disable any security alert, contact support.

Source : Official Microsoft Brand
Editor by : BEST Antivirus KBS Team

How useful was this post?

Click on a star to rate it!

Average rating 0 / 5. Vote count: 0

No votes so far! Be the first to rate this post.

(Visited 15 times, 1 visits today)
Tagged: