Managed Sentinel Use Case Catalog

Azure Sentinel

Managed Sentinel intends to build and share with the community an extensive list of use-cases with full details such as threat indicators, severity level, MITRE ATT&CK tactics, log sources used to provide the information and situations when they may be a false positive. We are also including the recommended actions for remediating or investigating the security event.

Alert IDDescription
MS-A001Access by the same user to a system from multiple sources
MS-A013CnC - Command and Control Interaction (Threat Intelligence)
MS-A002Anomalous Azure AD apps based on authentication location
MS-A003Anomalous sign-in location by user account and authenticating application
MS-A129Users added to privileged domain groups
MS-A004Anomalous sign-in location by user Account and authenticating application - with sign-in details
MS-A119Windows Audit Log Cleared
MS-A031Excessive inbound firewall allows (Cisco ASA)
MS-A082Previously disabled accounts becoming active
MS-A033Excessive number of Windows Account lockouts
MS-A030Excessive outbound DNS queries
MS-A035Excessive Outbound Firewall Denies
MS-A074Peer-to-peer (P2P) traffic detected in perimeter firewall
MS-A091Group recently created was added to a privileged built-in group
MS-A111Outbound traffic to known bad IPs (Microsoft Security Graph)
MS-A042Excessive outbound traffic (data transferred out from internal network)
MS-A067Multiple users forwarding Office 365 mail to same destination
MS-A034Excessive Outbound Firewall Allows (Cisco ASA Firewall)
MS-A070A new service was installed and started on a critical Windows server
MS-A126Windows system time has been changed on a critical server
MS-A045High Number of Connections on specific opened ports
MS-A046Outbound traffic to known bad IPs (Managed Sentinel Threat Intelligence)
MS-A048Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
MS-A062Multiple failed login attempts within 10 minutes
MS-A065Multiple Internal assets connecting to same malicious destinations within a predefined timeframe (Threat Intelligence)
MS-A089Windows privilege account(s) password changed on critical servers
MS-A101Suspicious high privilege account login failure on Windows systems
MS-A036 Internal hosts using unsanctioned DNS servers (Cisco ASA)
MS-A038File sharing traffic detected through perimeter firewall
MS-A005Admin authentication failure detected on firewall
MS-A039Network Scan detected
MS-A032Excessive Inbound Firewall Denies
MS-A026DNS Full Name anomalous lookup increase (Outlier)
MS-A072Non owner Office 365 mailbox login activity
MS-A112Blocked outbound traffic to blacklisted IPs or domains (Threat Intelligence)
MS-A040Firewall configuration change detected (Cisco ASA firewall)
MS-A094Sharepoint downloads from previously unseen IP address
MS-A044High bandwidth usage with streaming data
MS-A109Tracking Privileged Account Rare Activity
MS-A008Azure storage key enumeration
MS-A122Windows Admin group modification
MS-A015Creation and modification of privileged account attributes
MS-A123Exchange Audit Log Disabled
MS-A024DNS Domain anomalous lookup increase
MS-A124Multiple Login failures for multiple accounts within a predefined time interval on Windows servers
MS-A105Sustained connection(s) from an internal host for more than x hours through firewall
MS-A060Remote management access to internal Windows servers via VPN
MS-A027DNS high NXDomain count (Outlier)
MS-A006Azure AD sign-in bursts from multiple locations
MS-A069New Office 365 admin activity detected
MS-A081Powershell or non-browser mailbox login activity in Office 365
MS-A025DNS Domains linked to WannaCry ransomware campaign (Threat Intelligence)
MS-A093Sharepoint downloads from devices associated with previously unseen user agents
MS-A007Azure AD signins from new locations
MS-A014Common deployed resources in Azure
MS-A016Creation of an anomalous number of resources in Azure
MS-A037Failed login attempts to Azure Portal
MS-A041Granting elevated permissions to an Azure account
MS-A056Login attempts using Legacy Authentication (Azure)
MS-A023DNS commonly abused TLDs - Top Level Domains
MS-A028DNS high reverse DNS count (Outlier)
MS-A057Long DNS Query
MS-A500APT Babyshark Lookup
MS-A501APT 29 Thinktanks Lookup
MS-A502APT Bear Activity GTR19 Lookup
MS-A503APT Tropic Trooper Lookup
MS-A504APT DragonFly Lookup
MS-A505APT CloudHopper Lookup
MS-A506APT Elise Lookup
MS-A507APT EquationGroup DLL Uload Lookup
MS-A508APT Hurricane Panda Lookup
MS-A509 APT Judgement Panda Lookup
MS-A510APT Sofacy Zebrocy Lookup
MS-A511APT TA17-293 Lookup
MS-A512 APT ZxShell Lookup
MS-A513APT 5 Manganese Lookup
MS-A121Add + Delete account from a privileged group within a short timeframe
MS-A125Windows security audit log is full
MS-A150Internal systems using a large number of protocols
MS-A200Silent log source monitoring - Heartbeat
MS-A142User account created and deleted within x mins
MS-A061Process execution frequency anomaly
MS-A143Potential Kerberoasting
MS-A144Malware detected in the local recycle bin
MS-A110 Malware detected in a Office 365 repository
MS-A152Azure Security Center Threat Alert
MS-A133Rare and potentially high risk Office 365 operations
MS-A134Office 365 policy tampering
MS-A153Azure Security Center Recommendations Alert
MS-A147Local Windows user account creation
MS-A083Multiple successful VPN logins for different users from same IP address
MS-A127Successful VPN connections from different source IP addresses within specific time interval
MS-A139Mail forwarding enabled to an external email address
MS-A148Successful overpass the hash attempt
MS-A149Firewall external average attack detection rate increase
MS-A117Web shell script detection on a website