Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
'Threat actors may attempt to phish users in order to hijack a users sign-in session, and skip the authentication process even if the user had enabled multifactor authentication (MFA) by stealing and replaying stolen credentials and session cookies. This detection looks for successful Microsoft Entra ID sign ins that had a high risk profile, indicating it had suspicious characteristics such as an unusual location, ISP, user agent, or use of anonymizer services. It then looks for a network connec
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | SecurityThreatEssentialSolution |
| ID | 16daa67c-b137-48dc-8eb7-76598a44791a |
| Severity | Medium |
| Status | Available |
| Kind | Scheduled |
| Tactics | InitialAccess, DefenseEvasion, CredentialAccess |
| Techniques | T1078.004, T1557, T1111 |
| Required Connectors | AzureActiveDirectory, Zscaler |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
SigninLogs |
✓ | ✗ | ? |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
↑ Back to Analytic Rules · Back to SecurityThreatEssentialSolution