Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
This query will alert on any sign-ins from devices infected with malware in correlation with workspace deletion activity. Attackers may attempt to delete workspaces containing compute instances after successful compromise to cause service unavailability to regular business operation.
| Attribute | Value |
|---|---|
| Type | Analytic Rule |
| Solution | Standalone Content |
| ID | a5b3429d-f1da-42b9-883c-327ecb7b91ff |
| Severity | Medium |
| Kind | Scheduled |
| Tactics | InitialAccess, Impact |
| Techniques | T1078, T1489 |
| Required Connectors | AzureActiveDirectoryIdentityProtection, AzureActivity, BehaviorAnalytics |
| Source | View on GitHub |
This content item queries data from the following tables:
| Table | Transformations | Ingestion API | Lake-Only |
|---|---|---|---|
AzureActivity |
? | ✗ | ? |
IdentityInfo |
✓ | ✗ | ? |
SecurityAlert |
✓ | ✗ | ? |
The following connectors provide data for this content item:
Solutions: Azure Activity, IoTOTThreatMonitoringwithDefenderforIoT, Microsoft Defender for Cloud, Microsoft Defender for Cloud Apps, Microsoft Defender for Identity, Microsoft Defender for Office 365, Microsoft Entra ID Protection, MicrosoftDefenderForEndpoint, MicrosoftPurviewInsiderRiskManagement
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊