M365D Alerts Correlation to non-Microsoft Network device network activity involved in successful sign-in Activity

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Content Index

This content is employed to correlate with Microsoft Defender XDR phishing-related alerts. It focuses on instances where a user successfully connects to a phishing URL from a non-Microsoft network device and subsequently makes successful sign-in attempts from the phishing IP address.

Attribute Value
Type Analytic Rule
Solution Standalone Content
ID 779731f7-8ba0-4198-8524-5701b7defddc
Severity Medium
Kind Scheduled
Tactics PrivilegeEscalation
Techniques T1078
Required Connectors OfficeATP, PaloAltoNetworks, Fortinet, CheckPoint, Zscaler
Source View on GitHub

Tables Used

This content item queries data from the following tables:

Table Selection Criteria Transformations Ingestion API Lake-Only
CommonSecurityLog DeviceProduct startswith "FireWall"
DeviceProduct startswith "FortiGate"
DeviceProduct startswith "NSSWeblog"
DeviceProduct startswith "PAN"
DeviceProduct startswith "URL"
DeviceProduct startswith "VPN"
DeviceVendor has_any "Check Point,Fortinet,Palo Alto Networks,Zscaler"		 ?
SecurityAlert ?
SigninLogs ?

Associated Connectors

The following connectors provide data for this content item:

Connector Solution
AzureActiveDirectory Microsoft Entra ID
AzureActiveDirectoryIdentityProtection Microsoft Entra ID Protection
AzureAdvancedThreatProtection Microsoft Defender for Identity
AzureSecurityCenter Microsoft Defender for Cloud
CefAma Common Event Format
CloudNSSAuditLogs_ccp Zscaler Internet Access
CloudNSSCASBActivityLogs_ccp Zscaler Internet Access
CloudNSSCASBCRMLogs_ccp Zscaler Internet Access
CloudNSSCASBCloudStorageLogs_ccp Zscaler Internet Access
CloudNSSCASBCollabLogs_ccp Zscaler Internet Access
CloudNSSCASBEmailLogs_ccp Zscaler Internet Access
CloudNSSCASBFileSharingLogs_ccp Zscaler Internet Access
CloudNSSCASBITSMLogs_ccp Zscaler Internet Access
CloudNSSCASBRepoLogs_ccp Zscaler Internet Access
CloudNSSDNSLogs_ccp Zscaler Internet Access
CloudNSSEmailDLPLogs_ccp Zscaler Internet Access
CloudNSSEndpointDLPLogs_ccp Zscaler Internet Access
CloudNSSFWLogs_ccp Zscaler Internet Access
CloudNSSTunnelLogs_ccp Zscaler Internet Access
CloudNSSWebLogs_ccp Zscaler Internet Access
IoT IoTOTThreatMonitoringwithDefenderforIoT
MicrosoftCloudAppSecurity Microsoft Defender for Cloud Apps
MicrosoftDefenderAdvancedThreatProtection MicrosoftDefenderForEndpoint
MicrosoftDefenderForCloudTenantBased Microsoft Defender for Cloud
OfficeATP Microsoft Defender for Office 365
OfficeIRM MicrosoftPurviewInsiderRiskManagement
VirtualMetricDirectorProxy VirtualMetric DataStream
VirtualMetricMSSentinelConnector VirtualMetric DataStream
VirtualMetricMSSentinelDataLakeConnector VirtualMetric DataStream

Solutions: Common Event Format, IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID, Microsoft Entra ID Protection, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement, VirtualMetric DataStream, Zscaler Internet Access

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊

Back to Analytic Rules