Managed Sentinel Use Case Catalog

Azure Sentinel

Managed Sentinel intends to build and share with the community an extensive list of use-cases with full details such as threat indicators, severity level, MITRE ATT&CK tactics, log sources used to provide the information and situations when they may be a false positive. We are also including the recommended actions for remediating or investigating the security event.

Alert IDDescription
MS-A001Access by the same user to a system from multiple sources
MS-A013CnC - Command and Control Interaction (Threat Intelligence)
MS-A002Anomalous Azure AD apps based on authentication location
MS-A003Anomalous sign-in location by user account and authenticating application
MS-A129Users added to privileged domain groups
MS-A004Anomalous sign-in location by user Account and authenticating application - with sign-in details
MS-A119Windows Audit Log Cleared
MS-A031Excessive inbound firewall allows
MS-A082Previously disabled accounts becoming active
MS-A033Excessive number of Windows Account lockouts
MS-A030Excessive outbound DNS queries
MS-A035Excessive Outbound Firewall Denies
MS-A074Peer-to-peer (P2P) traffic detected in perimeter firewall
MS-A091Critical Windows server restarted
MS-A111Traffic allowed to known malicious IP addresses (Threat Intelligence)
MS-A042Excessive outbound traffic (data transferred out from internal network)
MS-A067Multiple users forwarding Office 365 mail to same destination
MS-A034Excessive Outbound Firewall Allows
MS-A070A new service was installed and started on a critical Windows server
MS-A126Windows system time has been changed on a critical server
MS-A045High Number of Connections on specific opened ports
MS-A046High Value Servers communicating with Known Malicious IP/Domains (Threat Intelligence)
MS-A048Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
MS-A062Multiple failed login attempts within a predefined period of time
MS-A065Multiple Internal assets connecting to same malicious destinations within a predefined timeframe (Threat Intelligence)
MS-A089Windows privilege account(s) password changed on critical servers
MS-A101Suspicious high privilege account login failure on Windows systems
MS-A036External DNS Server used by an internal host
MS-A038File sharing traffic detected through perimeter firewall
MS-A005Admin authentication failure detected on firewall
MS-A039Network Scan detected
MS-A032Excessive Inbound Firewall Denies
MS-A026DNS Full Name anomalous lookup increase (Outlier)
MS-A072Non owner Office 365 mailbox login activity
MS-A112Blocked outbound traffic to blacklisted IPs or domains (Threat Intelligence)
MS-A040Firewall configuration change detected
MS-A094Sharepoint downloads from previously unseen IP address
MS-A044High bandwidth usage with streaming data
MS-A109Tracking Privileged Account Rare Activity
MS-A008Azure storage key enumeration
MS-A122Windows Admin group modification
MS-A015Creation and modification of privileged account attributes
MS-A123Changes in an Windows Audit Policy on a critical server
MS-A024DNS Domain anomalous lookup increase
MS-A124Multiple Login failures for multiple accounts within a predefined time interval on Windows servers
MS-A105Sustained connection(s) from an internal host for more than x hours through firewall
MS-A060Remote management access to internal Windows servers via VPN
MS-A027DNS high NXDomain count (Outlier)
MS-A006Azure AD sign-in bursts from multiple locations
MS-A069New Admin account activity seen in Office 365, not seen before
MS-A081Powershell or non-browser mailbox login activity in Office 365
MS-A025DNS Domains linked to WannaCry ransomware campaign (Threat Intelligence)
MS-A093Sharepoint downloads from devices associated with previously unseen user agents
MS-A007Azure AD signins from new locations
MS-A014Common deployed resources in Azure
MS-A016Creation of an anomalous number of resources in Azure
MS-A037Failed login attempts to Azure Portal
MS-A041Granting elevated permissions to an Azure account
MS-A056Login attempts using Legacy Authentication (Azure)
MS-A023DNS commonly abused TLDs - Top Level Domains
MS-A028DNS high reverse DNS count (Outlier)
MS-A057Long DNS Query