Suspicious Azure AD interactive sign-in using PowerShell

Cortex XDR Analytics Alert Reference by data source

Product
Cortex XDR
Last date published
2024-11-18
Category
Analytics Alert Reference
Order
data source

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

N/A (single event)

Deduplication Period

1 Day

Required Data

  • Requires:
    • AzureAD

Detection Modules

Identity Analytics

Detector Tags

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Informational

Description

A user interactively logged in to Azure AD via PowerShell.

Attacker's Goals

The attacker attempts to gain access to the organization's resources.

Investigative actions

  • Analyze the actions taken by the user during the session and verify that this is a legitimate session.
  • Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).

Variations

Unusual Azure AD interactive sign-in using PowerShell

Synopsis

ATT&CK Tactic

Initial Access (TA0001)

ATT&CK Technique

Valid Accounts (T1078)

Severity

Low

Description

A user interactively logged in to Azure AD via PowerShell from an unusual geolocation or ASN.

Attacker's Goals

The attacker attempts to gain access to the organization's resources.

Investigative actions

  • Analyze the actions taken by the user during the session and verify that this is a legitimate session.
  • Look for signs that the user account is compromised (e.g. abnormal logins, unusual activity).