Account created from non-approved sources

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Content Index

---

This query looks for an account being created from a domain that is not regularly seen in a tenant. Attackers may attempt to add accounts from these sources as a means of establishing persistant access to an environment. Created accounts should be investigated to confirm expected creation. Ref: https://docs.microsoft.com/azure/active-directory/fundamentals/security-operations-user-accounts#short-lived-accounts

Attribute	Value
Type	Analytic Rule
Solution	Standalone Content
ID	99d589fa-7337-40d7-91a0-c96d0c4fa437
Severity	Medium
Kind	Scheduled
Tactics	Persistence
Techniques	T1136.003
Required Connectors	AzureActiveDirectory
Source	View on GitHub

---

Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · Logic Apps · 📊

↑ Back to Analytic Rules