Synopsis
Activation Period |
14 Days |
Training Period |
30 Days |
Test Period |
10 Minutes |
Deduplication Period |
5 Days |
Required Data |
|
Detection Modules |
Cloud |
Detector Tags |
|
ATT&CK Tactic |
|
ATT&CK Technique |
|
Severity |
Informational |
Description
An Identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.
Attacker's Goals
Execute various of commands to explore the cloud environment.
Investigative actions
Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.
Variations
An Azure application attempted multiple actions on resources that were deniedAn Azure identity attempted multiple actions on resources that were denied
An Azure application performed multiple actions that were denied