Managed Sentinel Use Case Catalog

Azure Sentinel

Managed Sentinel intends to build and share with the community an extensive list of use-cases with full details such as threat indicators, severity level, MITRE ATT&CK tactics, log sources used to provide the information and situations when they may be a false positive. We are also including the recommended actions for remediating or investigating the security event.

Alert IDDescription
MS-A001Access by the same user to a system from multiple sources
MS-A002Anomalous Azure AD apps based on authentication location
MS-A003Anomalous sign-in location by user account and authenticating application
MS-A004Monitor and alert on activity for specific SharePoint file or folder
MS-A005Admin authentication failure detected on firewall - Palo Alto
MS-A006Azure application(s) added
MS-A007Azure AD signins from new locations
MS-A008Sharepoint site permission modifications
MS-A009AD account with don't expire password
MS-A010FTP/SFTP from Internal hosts to foreign countries
MS-A011Office 365 Anonymous SharePoint Link used
MS-A012Changes made to an AWS IAM policy
MS-A013CnC - Command and Control Interaction (Threat Intelligence)
MS-A014Common deployed resources in Azure
MS-A015Creation and modification of privileged account attributes
MS-A016Creation of an anomalous number of resources in Azure
MS-A017MCAS Detect Leaked Credentials
MS-A018MCAS Malware Detected
MS-A019Network switch failed authentication
MS-A020Network switch login failure
MS-A022MFA disabled for a user - Azure AD
MS-A023DNS commonly abused TLDs - Top Level Domains
MS-A024DNS Domain anomalous lookup increase
MS-A025DNS Domains linked to WannaCry ransomware campaign (Threat Intelligence)
MS-A026DNS Full Name anomalous lookup increase (Outlier)
MS-A027DNS high NXDomain count (Outlier)
MS-A028DNS high reverse DNS count (Outlier)
MS-A029Brute force attack against Azure Portal
MS-A030Excessive outbound DNS queries
MS-A031Excessive inbound firewall allows
MS-A032Excessive Inbound Firewall Denies
MS-A033Excessive number of Windows Account lockouts
MS-A034Excessive Outbound Firewall Allows
MS-A035Excessive Outbound Firewall Denies
MS-A036 Internal hosts using unsanctioned DNS servers
MS-A037Failed login attempts to Azure Portal
MS-A038Missing Windows security and critical updates
MS-A039Network Scan detected
MS-A040Firewall configuration change detected
MS-A041Granting elevated permissions to an Azure account
MS-A042Excessive outbound traffic (data transferred out from internal network)
MS-A044High bandwidth usage with streaming data
MS-A045High Number of Connections on specific opened ports
MS-A046Outbound traffic to known bad IPs (Managed Sentinel Threat Intelligence)
MS-A047Outbound traffic to known bad IPs (Managed Sentinel Threat Intel) - Cisco ASA
MS-A048Inbound management allowed traffic through perimeter firewall (Internet or any other untrust zones)
MS-A051Abnormal activity for a high profile user in O365
MS-A054High severity IPS Signatures from sources originating from internal network
MS-A055Internal hosts matching 3 or more distinct IPS signatures within an hour
MS-A056Login attempts using Legacy Authentication (Azure)
MS-A057Long DNS Query
MS-A060Remote management access to internal Windows servers via VPN
MS-A129Users added to privileged domain groups
MS-A119Windows Audit Log Cleared
MS-A082Previously disabled accounts becoming active
MS-A074Peer-to-peer (P2P) traffic detected in perimeter firewall
MS-A091Group recently created was added to a privileged built-in group
MS-A111Outbound traffic to known bad IPs (Microsoft Security Graph)
MS-A067Multiple users forwarding Office 365 mail to same destination
MS-A070A new service was installed and started on a critical Windows server
MS-A126Windows system time has been changed on a critical server
MS-A062Multiple failed login attempts within 10 minutes
MS-A065Multiple Internal assets connecting to same malicious destinations within a predefined timeframe (Threat Intelligence)
MS-A089Windows privilege account(s) password changed on critical servers
MS-A101Suspicious high privilege account login failure on Windows systems
MS-A072Non owner Office 365 mailbox login activity
MS-A112Blocked outbound traffic to blacklisted IPs or domains (Threat Intelligence)
MS-A138Sharepoint downloads from previously unseen IP address
MS-A109Tracking Privileged Account Rare Activity
MS-A122Windows Admin group modification
MS-A123Exchange Audit Log Disabled
MS-A124Multiple Login failures for multiple accounts within a predefined time interval on Windows servers
MS-A105Sustained connection(s) from an internal host for more than x hours through firewall
MS-A069New Office 365 admin activity detected
MS-A081Powershell or non-browser mailbox login activity in Office 365
MS-A093Sharepoint downloads from devices associated with previously unseen user agents
MS-A500APT Babyshark Lookup
MS-A501APT 29 Thinktanks Lookup
MS-A502APT Bear Activity GTR19 Lookup
MS-A503APT Tropic Trooper Lookup
MS-A504APT DragonFly Lookup
MS-A505APT CloudHopper Lookup
MS-A506APT Elise Lookup
MS-A507APT EquationGroup DLL Uload Lookup
MS-A508APT Hurricane Panda Lookup
MS-A509 APT Judgement Panda Lookup
MS-A510APT Sofacy Zebrocy Lookup
MS-A215IIS pages generating errors (Status 500s)
MS-A511APT TA17-293 Lookup
MS-A512 APT ZxShell Lookup
MS-A513APT 5 Manganese Lookup
MS-A121Add + Delete account from a privileged group within a short timeframe
MS-A125Windows security audit log is full
MS-A150Internal systems using a large number of protocols
MS-A200Silent log source monitoring - Heartbeat
MS-A142User account created and deleted within x mins
MS-A061Process execution frequency anomaly
MS-A143Potential Kerberoasting
MS-A144Malware detected in the local recycle bin
MS-A110 Malware detected in a Office 365 repository
MS-A152Azure Security Center Threat Alert
MS-A133Rare and potentially high risk Office 365 operations
MS-A134Office 365 policy tampering
MS-A153Azure Security Center Recommendations Alert
MS-A147Local Windows user account creation
MS-A083Multiple successful VPN logins for different users from same IP address
MS-A127Successful VPN connections from different source IP addresses within specific time interval
MS-A139Mail forwarding enabled to an external email address
MS-A148Successful overpass the hash attempt
MS-A149Firewall external average attack detection rate increase
MS-A117Web shell script detection on a website
MS-A131Notification on emails sent outside of organization containing specific keywords in Subject line
MS-A086Identifies when failed logon attempts are 6 or higher during a 10 minute period
MS-A203Office 365 connections from malicious IP addresses
MS-A077Office 365 Anonymous SharePoint Link Created
MS-A044Missing Linux critical and security updates
MS-A013Changes made to AWS CloudTrail logs
MS-A075Office 365 inactive user accounts
MS-A095A malicious IP address accessing an Office 365 resource
MS-A204Azure Security Center - Antimalware Activity
MS-A205Accounts generating excessive Azure SignIn logs failures
MS-A206Microsoft Cloud App Security alert
MS-A073Multiple Password Resets by a user across multiple datasources
MS-A120Office 365 Mailbox Added or Removed
MS-A085Silent OfficeActivity Workload
MS-A216IIS pages generating Page Not Found errors (404)
MS-A087Anomalous number of denial messages in CommonSecurityLog
MS-A202Silent log source monitoring - Windows Security
MS-A201Silent log source monitoring - CommonSecurityLog
MS-A066Azure activity from malicious IPs
MS-A140Previously blocked Azure AD accounts becoming active
MS-A107Login to AWS Management Console without MFA
MS-A114Connections to unsanctioned SMTP servers
MS-A207Internal hosts using POP3 or IMAP email clients (IpTables FW)
MS-A242Internal hosts querying large number of DNS servers
MS-A241VPN connections from IP addresses matching Firegen Threat Intelligence feed
MS-A231Connections to malicious IPs from internal hosts
MS-A209Access to phishing and peer-to-peer URLs
MS-A079Potential brute force attack against an IIS Web Server
MS-A225Squid proxy events for ToR proxies
MS-A234Network sniffing applications detected
MS-A208Internal hosts using POP3 or IMAP email clients
MS-A154COVID-19 IP address IOC detected - CommonSecurityLog
MS-A146COVID-19 IP address IOC detected - SigninLogs
MS-A155COVID-19 IP address IOC detected - BIND DNS
MS-A157COVID 19 IP address IOC detected - iptables
MS-A137Azure AD sign-in attempts from disabled accounts
MS-A151Admin authentication failure detected on firewall - Cisco ASA
MS-A104Anomalous allow connections from internal hosts
MS-A159Admin authentication failure detected on firewall - Fortinet
MS-A160Potential rogue access points - Fortinet
MS-A161Redirected DNS requests - Fortinet
MS-A162SSL VPN login failures - Fortinet
MS-A230Cisco Umbrella - Connections to malicious domains
MS-A236Access to potentially malicious URLs
MS-A128NAS Login Failures
MS-A158MFA disabled for a user - AWS CloudTrail
MS-A226Squid proxy events related to mining pools
MS-A235Missing Security and Critical Updates (non-OS)
MS-A212Office 365 activities from IP listed in the ThreatIntelligenceIndicator table
MS-A078Azure entities triggering more than 1 distinct type of alert
MS-A222MITRE Execution Tactic Processes Detected
MS-A084Microsoft Azure Identity Protection alert
MS-A156Microsoft Azure Identity Protection - Suspicious activities with successful logins
MS-A068Mass secret retrieval from Azure Key Vault observed by a single user
MS-A080Silent Office Activity
MS-A096Unknown LogstashOthers_CL entries
MS-A097Anomalous increase in Azure Sentinel log ingestion costs
MS-A098Microsoft ATA alert triggered
MS-A099Authenticated Windows IIS connections matching Microsoft Threat Intelligence
MS-A115IP addresses with open ports attacked from Internet
MS-A118This alert identifies top 10 users by MCAS threat score.
MS-A145High count of connections by client IP on many ports
MS-A163High severity IPS Signatures from sources originating from internal network
MS-A164External Teams users from anomalous organizations
MS-A165Connections blocked by Kemp from internal hosts.
MS-A166Anomalous number of events generated by Kemp Load Balancer
MS-A167DNS queries for domain used by the Telegraph chat app - Squid
MS-A168Roles added/removed in Azure AD
MS-A169Suspicious RDP connections.
MS-A171Potential C&C traffic detected in URL request.
MS-A173Google G-Suite Admin Activities
MS-A175Password Spray Attack - Linux
MS-A177Excessive RDP Authentication Failures
MS-A179Potentially malicious downloads detected in URL request - SonicWall
MS-A170COVID 19 IP address IOC detected
MS-A172Azure Security Center Alert
MS-A174Failed Duo MFA Authentications
MS-A176Password Spraying to SonicWall Admin CLI
MS-A178Audit-Traffic Log Cleared - SonicWall
MS-A180Internal hosts match 3 or more IPS Signatures in 24 hours - SonicWall
MS-A182Excessive SonicWall Admin Password Failures from CLI - SonicWall
MS-A183Internal Hosts Using POP3 or IMAP Email Clients - SonicWall
MS-A184Firewall/IPS/VPN Configuration Change Detected - SonicWall
MS-A185Outbound traffic to known bad IPs (Managed Sentinel Threat Intel) - SonicWall
MS-A186Outbound traffic to known bad IPs (Microsoft Security Graph) - SonicWall
MS-A191Successful logon from IP and failure from a different IP
MS-A192Distributed Password cracking attempts in Azure AD
MS-A193Attempt to bypass conditional access rule in Azure AD
MS-A194Sign-ins from IPs that attempt sign-ins to disabled Azure accounts
MS-A195Multiple Password Reset by user
MS-A196Suspicious granting of permissions to an Azure AD account
MS-A197Suspicious number of resource creation or deployment activities
MS-A198Rare subscription-level operations in Azure
MS-A199Suspicious Azure Resource deployment
MS-A210Unusual number of log entries in CommonSecurityLog
MS-A211Microsoft Defender ATP Alert
MS-A213Multiple ATP low priority alerts detected
MS-A221Carbon Black Storage Hit Events
MS-A223Carbon Black Query Hit Events
MS-A224Carbon Black Ingress Hit Events
MS-A227Internal hosts generating firewall denials
MS-A228IP addresses with open ports attacked from Internet
MS-A229Consented Azure applications
MS-A232Users created by unauthorized administrators
MS-A233Azure SignInLogs activities from IP listed in the ThreatIntelligenceIndicator table
MS-A237Radius authentications from the same user from multiple IP addresses
MS-A238Internal systems exposing a large number of protocols to Internet
MS-A240Azure Security Center - Endpoint Protection Threat Detected
MS-A243RADIUS access reject on wireless client device
MS-A245Azure Network Security Groups Blocked Flows
MS-A250COVID 19 IP address IOC detected - SonicWall
MS-A251Potential C&C traffic detected in URL request - SonicWall
MS-A252Internal hosts generating firewall denials - SonicWall
MS-A253IP addresses with open ports attacked from Internet - SonicWall
MS-A254Traffic to malicious URLs detected - SonicWall
MS-A255Internal systems exposing a large number of protocols to Internet - SonicWall
MS-A256VPN connections from IP addresses matching Firegen Threat Intelligence feed - SonicWall
MS-A257Traffic to commonly abused TLDs - SonicWall
MS-A259Excessive SSL VPN login failures - SonicWall
MS-A261Outbound traffic to known bad IPs (Microsoft Security Graph - Cisco ASA)
MS-A263Successful VPN connections from same user from multiple IP addresses - SonicWall
MS-A265Traffic to ToR Proxies - SonicWall
MS-A267Potential beaconing detected - SonicWall
MS-A300MITRE - Console History