An Azure identity performed multiple actions that were denied

Cortex XSIAM Analytics Alert Reference by Alert name

Product
Cortex XSIAM
Last date published
2024-12-03
Category
Analytics Alert Reference
Order
Alert name

Synopsis

Activation Period

14 Days

Training Period

30 Days

Test Period

10 Minutes

Deduplication Period

5 Days

Required Data

  • Requires:
    • Azure Audit Log

Detection Modules

Cloud

Detector Tags

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Severity

Informational

Description

An Identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

Attacker's Goals

Execute various of commands to explore the cloud environment.

Investigative actions

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.

Variations

An Azure application attempted multiple actions on resources that were denied

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Severity

Medium

Description

An Identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

Attacker's Goals

Execute various of commands to explore the cloud environment.

Investigative actions

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.


An Azure identity attempted multiple actions on resources that were denied

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Severity

Low

Description

An Identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

Attacker's Goals

Execute various of commands to explore the cloud environment.

Investigative actions

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.


An Azure application performed multiple actions that were denied

Synopsis

ATT&CK Tactic

Discovery (TA0007)

ATT&CK Technique

Severity

Low

Description

An Identity performed multiple Microsoft Graph actions that were denied, which may indicate it is being misused.

Attacker's Goals

Execute various of commands to explore the cloud environment.

Investigative actions

Check the identity's role designation in the organization.
Check if there are additional calls executed by the identity.