Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This detection uses Windows security events to detect suspicious access attempts to the registry key of Microsoft Entra ID Health monitoring agent. This detection requires an access control entry (ACE) on the system access control list (SACL) of the following securable object HKLM\SOFTWARE\Microsoft\Microsoft Online\Reporting\MonitoringAgent. You can find more information in here https://github.com/OTRF/Set-AuditRule/blob/master/rules/registry/aad_connect_health_monitoring_agent.yml
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | f819c592-c5f9-4d5c-a79f-1e6819863533 |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | Collection |
| Techniques | T1005 |
| Required Connectors | SecurityEvents, WindowsSecurityEvents, WindowsForwardedEvents |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Selection Criteria | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|---|
SecurityEvent |
✓ | ✓ | ? | |
WindowsEvent |
EventID in "4656,4663" |
✓ | ✓ | ? |
The following connectors provide data for this content item:
Solutions: Microsoft Exchange Security - Exchange On-Premises, Windows Forwarded Events, Windows Security Events
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊