Security Threat Essentials
Solution: SecurityThreatEssentialSolution
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊
| Attribute | Value |
|---|---|
| Publisher | Microsoft Corporation |
| Support Tier | Microsoft |
| Support Link | https://support.microsoft.com |
| Categories | domains |
| Version | 3.0.3 |
| Author | Microsoft Corporation - support@microsoft.com |
| First Published | 2022-03-30 |
| Solution Folder | SecurityThreatEssentialSolution |
| Marketplace | Azure Marketplace · Popularity: 🔵 Medium (64%) |
| Pre-requisites | Microsoft Entra ID, Microsoft 365, Azure Activity, CiscoASA, PaloAlto-PAN-OS, zscaler1579058425289.zscaler_internet_access_mss |
This solution published by Microsoft is based on the continuous evaluation of threat campaigns and provides out-of-the-box security content that helps you to enhance your security posture. This solution leverages the following tables:
• AuditLogs
• AzureActivity
• CommonSecurityLog
• OfficeActivity
• SigninLogs
• VMConnection
Contents
Pre-requisites
This solution depends on 5 other solution(s):
| Solution |
|---|
| Azure Activity |
| CiscoASA |
| Microsoft 365 |
| Microsoft Entra ID |
| PaloAlto-PAN-OS |
Data Connectors
This solution does not include its own data connectors but uses connectors from dependency solutions:
- Microsoft Entra ID (dependency on Microsoft Entra ID)
- Azure Activity (dependency on Azure Activity)
- Cisco ASA via Legacy Agent (dependency on CiscoASA)
- Cisco ASA/FTD via AMA (dependency on CiscoASA)
- Microsoft 365 (formerly, Office 365) (dependency on Microsoft 365)
- [Deprecated] Palo Alto Networks (Firewall) via Legacy Agent (dependency on PaloAlto-PAN-OS)
- [Deprecated] Palo Alto Networks (Firewall) via AMA (dependency on PaloAlto-PAN-OS)
Tables Used
This solution queries 6 table(s) from its content items:
| Table | Used By Content |
|---|---|
AuditLogs |
Analytics |
AzureActivity |
Analytics |
CommonSecurityLog |
Analytics |
OfficeActivity |
Analytics |
SigninLogs |
Analytics, Hunting |
VMConnection |
Analytics |
Internal Tables
The following 1 table(s) are used internally by this solution's content items:
| Table | Used By Content |
|---|---|
Anomalies |
Analytics |
Content Items
This solution includes 9 content item(s):
| Content Type | Count |
|---|---|
| Analytic Rules | 7 |
| Hunting Queries | 2 |
Analytic Rules
| Name | Severity | Tactics | Tables Used |
|---|---|---|---|
| Possible AiTM Phishing Attempt Against Microsoft Entra ID | Medium | InitialAccess, DefenseEvasion, CredentialAccess | SigninLogs |
| Threat Essentials - Mail redirect via ExO transport rule | Medium | Collection, Exfiltration | OfficeActivity |
| Threat Essentials - Mass Cloud resource deletions Time Series Anomaly | Medium | Impact | AzureActivity |
| Threat Essentials - Multiple admin membership removals from newly created admin. | Medium | Impact | AuditLogs |
| Threat Essentials - NRT User added to Microsoft Entra ID Privileged Groups | Medium | Persistence, PrivilegeEscalation | AuditLogs |
| Threat Essentials - Time series anomaly for data size transferred to public internet | Medium | Exfiltration | CommonSecurityLogVMConnectionInternal use: Anomalies |
| Threat Essentials - User Assigned Privileged Role | High | Persistence | AuditLogs |
Hunting Queries
| Name | Tactics | Tables Used |
|---|---|---|
| Threat Essentials - Signins From VPS Providers | InitialAccess | SigninLogs |
| Threat Essentials - Signins from Nord VPN Providers | InitialAccess | SigninLogs |
Release Notes
| Version | Date Modified (DD-MM-YYYY) | Change History |
|---|---|---|
| 3.0.3 | 05-06-2024 | Added missing AMA Data Connector reference in Analytic Rule |
| 3.0.2 | 18-03-2024 | Tagged for dependent solutions for deployment |
| 3.0.1 | 10-11-2023 | Modified text as there is rebranding from Azure Active Directory to Microsoft Entra ID. |
| 3.0.0 | 06-07-2023 | Updating Analytic rule query for KQL failure |
Browse: 🏠 · Solutions · Connectors · Methods · Tables · Content · Parsers · ASIM Parsers · ASIM Products · 📊