Microsoft Azure Alerts

User Changed password Detected by Azure Active Directory.


Category: Office 365

This alert Detects when a user has reset their password in Azure AD within 24 hours.

Critical

Alert Rule


title: User Changed password Detected by Azure Active Directory.
author: Admin
description: when a user has reset their password in Azure AD within 24 hours.
detection:
condition: selection
selection:
event.action|contains: Change user password.
level: Critical
logsource:
category: Azure
product: o365
service: Authentication
logtype: cloud_azure

Alert Data


event.action : Change user password.
event.category : web
event.dataset : o365.audit
event.description : AzureActiveDirectory
event.module : o365
event.outcome : success
event.provider : AzureActiveDirectory
host.name : BHC123586
log.type : cloud-azure-o365
observer.product : o365
observer.type : cloud-azure
observer.vendor : microsoft
user.id : ServicePrincipal_e112690d
user.target.id : test@bhc.com

Provide a Dismiss Comment


Dismissed Reason:

Removed Delegated Permission Grant in Office-365.


Category: Office-365

This alert indicates Detects when a delegated permission grant is removed from an account in Office365.

High

Alert Rule


title: Removed Delegated Permission Grant in Office-365
author: Admin
description: Detects when a delegated permission grant is removed from an account in Office365.
detection:
condition: selection1 and selection2
selection1:
event.action:
- Remove delegated permission grant.
selection2:
event.outcome:
- success
level: High
logsource:
category: Authentication
product: cloud_azure
logtype: cloud_azure

Alert Data


event.action : Remove delegated permission grant.
event.category :web
event.dataset : o365.audit
event.description : AzureActiveDirectory
event.module : o365
event.outcome :success
event.provider : AzureActiveDirectory
log.type : cloud-azure-o365
observer.product : o365
observer.type : cloud-azure
observer.vendor : microsoft
user.email : test@bhc.com
user.id : test@bhc.com
user.name : Test
user.target.id : https://dod-graph.microsoft.us/;https://graph.microsoft.us/;https://canary.graph.microsoft.com/

Provide a Dismiss Comment


Dismissed Reason:

A User office 365 Login Failed.


Category: Office-365

This alert indicates that Failed login attempt from office 365 detected.

Medium

Alert Rule


title: A User office 365 Login Failed
author: Admin
description: Failed login attempt from office 365 detected.
detection:
condition: selection
selection:
event.action: UserLoginFailed
level: Medium
logsource:
category: AzureActiveDirectory
product: o365
service: Authentication
logtype: cloud_azure

Alert Data


event.action : UserLoginFailed
event.category : web
event.description : AzureActiveDirectoryStsLogon
event.module : o365
event.outcome : success
event.provider : AzureActiveDirectory
host.name : BHC0125869
log.type : cloud-azure-o365
network.type : ipv4
o365.audit.logonerror : UserStrongAuthClientAuthNRequiredInterrupt
observer.product : o365
observer.type : cloud-azure
observer.vendor : microsoft
source.as.organization.name : Vajra Telecom Pvt Ltd
source.geo.country_name : India
source.ip : 103.101.24.242
source.locality : public
threatintel.lookup : neutral
user.email : test@bhc.com
user.id : test@bhc.com
user.name : test

Provide a Dismiss Comment


Dismissed Reason: