1. Microsoft Defender for Endpoint
2. AAD IP
3. Azure Defender
4. MCAS
5. Malicious administrative activity
5.1. Suspicious cloud app administrative activity following suspicious Azure AD sign-in
6. Malicious execution with legitimate process
6.1. PowerShell made a suspicious network connection, followed by anomalous traffic flagged by Palo Alto Networks firewall
6.2. Suspicious remote WMI execution followed by anomalous traffic flagged by Palo Alto Networks firewall
6.3. Suspicious PowerShell command line following suspicious sign-in
6.3.1. Impossible travel to atypical locations leading to suspicious PowerShell command line
6.3.2. Sign-in event from an unfamiliar location leading to suspicious PowerShell command line
6.3.3. Sign-in event from an infected device leading to suspicious PowerShell command line
6.3.4. Sign-in event from an anonymous IP address leading to suspicious PowerShell command line
6.3.5. Sign-in event from user with leaked credentials leading to suspicious PowerShell command line
7. Compute resource abuse
7.1. Multiple VM creation activities following suspicious Azure Active Directory sign-in
7.1.1. Sign-in event from an unfamiliar location leading to multiple VM creation activities
7.1.2. Impossible travel to an atypical location leading to multiple VM creation activities
7.1.3. Sign-in event from an infected device leading to multiple VM creation activities
7.1.4. Sign-in event from an anonymous IP address leading to multiple VM creation activities
7.1.5. Sign-in event from user with leaked credentials leading to multiple VM creation activities
8. Credential harvesting
8.1. Malicious credential theft tool execution following suspicious sign-in
8.1.1. Sign-in event from an unfamiliar location leading to malicious credential theft tool execution
8.1.2. Impossible travel to atypical locations leading to malicious credential theft tool execution
8.1.3. Sign-in event from an infected device leading to malicious credential theft tool execution
8.1.4. Sign-in event from an anonymous IP address leading to malicious credential theft tool execution
8.1.5. Sign-in event from user with leaked credentials leading to malicious credential theft tool execution
8.2. Suspected credential theft activity following suspicious sign-in
8.2.1. Impossible travel to atypical locations leading to suspected credential theft activity
8.2.2. Sign-in event from an unfamiliar location leading to suspected credential theft activity
8.2.3. Sign-in event from an infected device leading to suspected credential theft activity
8.2.4. Sign-in event from an anonymous IP address leading to suspected credential theft activity
8.2.5. Sign-in event from user with leaked credentials leading to suspected credential theft activity
9. Malware C2 or download
9.1. Network request to TOR anonymization service followed by anomalous traffic flagged by Palo Alto Networks firewall
9.2. Outbound connection to IP with a history of unauthorized access attempts followed by anomalous traffic flagged by Palo Alto Networks firewall
10. Crypto-mining
10.1. Crypto-mining activity following suspicious sign-in
10.1.1. Impossible travel to atypical locations leading to crypto-mining activity
10.1.2. Sign-in event from an unfamiliar location leading to crypto-mining activity
10.1.3. Sign-in event from an infected device leading to crypto-mining activity
10.1.4. Sign-in event from an anonymous IP address leading to crypto-mining activity
10.1.5. Sign-in event from user with leaked credentials leading to crypto-mining activity
11. Ransomware
11.1. Ransomware execution following suspicious Azure AD sign-in
11.1.1. Impossible travel to an atypical location leading to ransomware in cloud app
11.1.2. Sign-in event from an unfamiliar location leading to ransomware in cloud app
11.1.3. Sign-in event from an infected device leading to ransomware in cloud app
11.1.4. Sign-in event from an anonymous IP address leading to ransomware in cloud app
11.1.5. Sign-in event from user with leaked credentials leading to ransomware in cloud app
12. Remote exploitation
12.1. Suspected use of attack framework followed by anomalous traffic flagged by Palo Alto Networks firewall
13. Data exfiltration
13.1. Office 365 mailbox exfiltration following a suspicious Azure AD sign-in
13.1.1. Impossible travel to an atypical location leading to Office 365 mailbox exfiltration
13.1.2. Sign-in event from an unfamiliar location leading to Office 365 mailbox exfiltration
13.1.3. Sign-in event from an infected device leading to Office 365 mailbox exfiltration
13.1.4. Sign-in event from an anonymous IP address leading to Office 365 mailbox exfiltration
13.1.5. Sign-in event from user with leaked credentials leading to Office 365 mailbox exfiltration
13.2. Mass file download following suspicious Azure AD sign-in
13.2.1. Impossible travel to an atypical location leading to mass file download
13.2.2. Sign-in event from an unfamiliar location leading to mass file download
13.2.3. Sign-in event from an infected device leading to mass file download
13.2.4. Sign-in event from an anonymous IP leading to mass file download
13.2.5. Sign-in event from user with leaked credentials leading to mass file download
13.3. Mass file sharing following suspicious Azure AD sign-in
13.3.1. Impossible travel to an atypical location leading to mass file sharing
13.3.2. Sign-in event from an unfamiliar location leading to mass file sharing
13.3.3. Sign-in event from an infected device leading to mass file sharing
13.3.4. Sign-in event from an anonymous IP address leading to mass file sharing
13.3.5. Sign-in event from user with leaked credentials leading to mass file sharing
13.4. Suspicious inbox manipulation rules set following suspicious Azure AD sign-in
13.4.1. Impossible travel to an atypical location leading to suspicious inbox manipulation rule
13.4.2. Sign-in event from an unfamiliar location leading to suspicious inbox manipulation rule
13.4.3. Sign-in event from an infected device leading to suspicious inbox manipulation rule
13.4.4. Sign-in event from an anonymous IP address leading to suspicious inbox manipulation rule
13.4.5. Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule
13.5. Multiple Power BI report sharing activities following suspicious Azure AD sign-in
13.5.1. Impossible travel to an atypical location leading to multiple Power BI report sharing activities
13.5.2. Sign-in event from an unfamiliar location leading to multiple Power BI report sharing activities
13.5.3. Sign-in event from an infected device leading to multiple Power BI report sharing activities
13.5.4. Sign-in event from an anonymous IP address leading to multiple Power BI report sharing activities
13.5.5. Sign-in event from user with leaked credentials leading to multiple Power BI report sharing activities
13.6. Suspicious Power BI report sharing following suspicious Azure AD sign-in
13.6.1. Impossible travel to an atypical location leading to suspicious Power BI report sharing
13.6.2. Sign-in event from an unfamiliar location leading to suspicious Power BI report sharing
13.6.3. Sign-in event from an infected device leading to suspicious Power BI report sharing
13.6.4. Sign-in event from an anonymous IP address leading to suspicious Power BI report sharing
13.6.5. Sign-in event from user with leaked credentials leading to suspicious Power BI report sharing
14. Multiple VM creation activities following suspicious Azure Active Directory sign-in
14.1. Sign-in event from an unfamiliar location leading to multiple VM creation activities
14.2. Impossible travel to an atypical location leading to multiple VM creation activities
14.3. Sign-in event from an infected device leading to multiple VM creation activities
14.4. Sign-in event from an anonymous IP address leading to multiple VM creation activities
14.5. Sign-in event from user with leaked credentials leading to multiple VM creation activities
15. Data destruction
15.1. Mass file deletion following suspicious Azure AD sign-in
15.1.1. Impossible travel to an atypical location leading to mass file deletion
15.1.2. Sign-in event from an unfamiliar location leading to mass file deletion
15.1.3. Sign-in event from an infected device leading to mass file deletion
15.1.4. Sign-in event from an anonymous IP address leading to mass file deletion
15.1.5. Sign-in event from user with leaked credentials leading to mass file deletion
15.2. Suspicious email deletion activity following suspicious Azure AD sign-in
15.2.1. Impossible travel to an atypical location leading to suspicious email deletion activity
15.2.2. Sign-in event from an unfamiliar location leading to suspicious email deletion activity
15.2.3. Sign-in event from an infected device leading to suspicious email deletion activity
15.2.4. Sign-in event from an anonymous IP address leading to suspicious email deletion activity
15.2.5. Sign-in event from user with leaked credentials leading to suspicious email deletion activity
16. Denial of service
16.1. Multiple VM delete activities following suspicious Azure AD sign-in
16.1.1. Impossible travel to an atypical location leading to multiple VM delete activities
16.1.2. Sign-in event from an unfamiliar location leading to multiple VM delete activities
16.1.3. Sign-in event from an infected device leading to multiple VM delete activities
16.1.4. Sign-in event from an anonymous IP address leading to multiple VM delete activities
16.1.5. Sign-in event from user with leaked credentials leading to multiple VM delete activities
17. Lateral movement
17.1. Office 365 impersonation following suspicious Azure AD sign-in
17.1.1. Impossible travel to an atypical location leading to Office 365 impersonation
17.1.2. Sign-in event from an unfamiliar location leading to Office 365 impersonation
17.1.3. Sign-in event from an infected device leading to Office 365 impersonation
17.1.4. Sign-in event from an anonymous IP address leading to Office 365 impersonation
17.1.5. Sign-in event from user with leaked credentials leading to Office 365 impersonation
17.2. Suspicious inbox manipulation rules set following suspicious Azure AD sign-in
17.2.1. Impossible travel to an atypical location leading to suspicious inbox manipulation rule
17.2.2. Sign-in event from an unfamiliar location leading to suspicious inbox manipulation rule
17.2.3. Sign-in event from an infected device leading to suspicious inbox manipulation rule
17.2.4. Sign-in event from an anonymous IP address leading to suspicious inbox manipulation rule
17.2.5. Sign-in event from user with leaked credentials leading to suspicious inbox manipulation rule