Windows Defender
| LP_Microsoft Defender XDR - High Severity Alert | |
|---|---|
| Description | This alert is triggered when a high severity alert is created in Microsoft Defender. Severe alerts are often associated with Advanced Persistent Threats(APT). These alerts indicate a high risk due to the potential damage they can cause to devices. |
| Log source | Microsoft Graph |
| Value | Examples include activities related to credential theft, ransomware activities, tampering with security sensors, or other malicious activities indicative of a human adversary. |
| Rationale | This alert highlights high-risk activities detected by Microsoft Defender, often indicative of APT behavior. Examples such as credential theft (T1003), ransomware activity (T1486), and security control tampering (T1562) align with known adversarial techniques. Early detection of such behavior is critical for preventing lateral movement, data exfiltration, or business disruption. This supports NIST 800-53 controls such as SI-4 (System Monitoring) and IR-5 (Incident Monitoring), ISO/IEC 27001 Annex A.12.4 (Logging and Monitoring), and CIS Control 8 (Audit Log Management). |
| Query |
Copy
|
| Comments | |
| Type | Alert |
| MITRE ATT&CK | T1003 – OS Credential Dumping, T1486 – Data Encrypted for Impact, T1562 – Impair Defenses |
| LP_Microsoft Defender XDR - Host Generating Multiple Alerts | |
|---|---|
| Description | This alarm is triggered when a single host generates multiple alarms within a short period of time. |
| Log source | Microsoft Graph |
| Value | A high volume of alerts from a single host in a short period may signal an active compromise involving techniques such as use of valid credentials (T1078), execution of malicious scripts or binaries (T1059), or remote service exploitation (T1021) for lateral movement. Such behavior is consistent with post-exploitation phases of a targeted attack. Monitoring this activity supports early detection and incident response efforts aligned with NIST 800-53 (SI-4, IR-4), ISO/IEC 27001 (A.12.6.1 – Event Logging), and CIS Controls 3 (Data Protection) and 8 (Audit Log Management). |
| Rationale | A high volume of alerts from a single host in a short period may signal an active compromise involving techniques such as use of valid credentials (T1078), execution of malicious scripts or binaries (T1059), or remote service exploitation (T1021) for lateral movement. Such behavior is consistent with post-exploitation phases of a targeted attack. Monitoring this activity supports early detection and incident response efforts aligned with NIST 800-53 (SI-4, IR-4), ISO/IEC 27001 (A.12.6.1 – Event Logging), and CIS Controls 3 (Data Protection) and 8 (Audit Log Management). |
| Query |
Copy
|
| Comments | Legitimate actions such as security tests or system updates can trigger false positives. |
| Type | Alert |
| MITRE ATT&CK | T1078 – Valid Accounts, T1059 – Command and Scripting Interpreter, T1021 – Remote Services |
| LP_Microsoft Defender XDR - Multiple Alerts Involving Same User | |
|---|---|
| Description | This alert is triggered when multiple alerts are generated regarding the same user within a short period of time in the Microsoft Defender XDR portal. This may indicate suspicious behavior, such as a compromised account, insider threat, or malware infection exploiting user credentials. |
| Log source | Microsoft Graph |
| Value | Security teams should immediately investigate these alerts to validate the cause and take appropriate action. It can be part of a coordinated attack involving privilege escalation, unauthorized access, or data exfiltration. |
| Rationale | A cluster of alerts involving the same user in a short period suggests possible account compromise, credential abuse, or insider threat activity. Adversaries may exploit valid credentials (T1078), execute malicious scripts (T1086), or alter authentication mechanisms (T1556) to maintain persistence and escalate privileges. Detecting this early supports containment and response efforts crucial to minimizing impact. It aligns with NIST 800-53 controls AC-7 (Unsuccessful Logon Attempts), IR-4 (Incident Handling), ISO/IEC 27001 A.12.6.1 (Event Logging), and CIS Controls 5 (Account Management) and 16 (Incident Response Management). |
| Query |
Copy
|
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1078 – Valid Accounts, T1086 – PowerShell, T1556 – Modify Authentication Process |
| LP_Microsoft EntraID - User at Risk | |
|---|---|
| Description | Triggers when a user is marked as 'atRisk' or 'confirmedCompromised' in the Microsoft EntraID (Azure AD) portal. It indicates that the user's account may be compromised or that the user poses an insider threat risk. This can include events like 'impossibleTravel', 'anomalousUserActivity', 'anonymizedIPAddress', 'maliciousIPAddress'. |
| Log source | Microsoft Graph |
| Value | Microsoft Entra Identity Protection is a tool that helps organizations identify, analyze and manage identity-related risks within their Microsoft Entra environment. Addressing this quickly can prevent potential data breaches, unauthorized access and other security incidents. However, legitimate actions or human error can trigger false positives. |
| Rationale | This alert identifies users flagged as 'atRisk' or 'confirmedCompromised' based on identity protection signals like impossible travel or use of anonymized IP addresses. These indicators are strongly associated with account takeover (T1078), unauthorized cloud access (T1530), or brute-force attempts (T1110). Timely response is essential to prevent escalation or exfiltration activities. This aligns with NIST 800-53 AC-2 (Account Management), SI-4 (System Monitoring), and IR-4 (Incident Handling), ISO/IEC 27001 A.12.6.1 (Event Logging), and CIS Controls 5 (Account Management), 6 (Access Control Management), and 16 (Incident Response). |
| Query |
Copy
|
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1078 – Valid Accounts, T1530 – Data from Cloud Storage Object, T1110 – Brute Force |
| LP_Potentially Unwanted Software Detected | |
|---|---|
| Description | This alert is triggered when potentially unwanted software is detected in the system. Potentially unwanted software may include programs that are harmful or pose a risk to the system. They can sometimes be bundled with legitimate software as an extra package. Threat actors can exploit these programs to perform malicious activities. |
| Log source | Microsoft Graph |
| Value | Receive alerts when users in your organization have received bundled software. |
| Rationale | Potentially unwanted software (PUS) may serve as a vector for further compromise. Though not always malicious on its own, PUS can facilitate user execution of harmful payloads (T1204) or be exploited for persistence via system-level triggers (T1546). Early detection helps prevent adversaries from escalating privilege or establishing footholds. Monitoring for such software supports NIST 800-53 SI-3 (Malicious Code Protection) and CM-7 (Least Functionality), ISO/IEC 27001 A.12.2.1 (Controls against malware), and aligns with CIS Controls 2 (Inventory of Software) and 8 (Audit Log Management). |
| Query | Copy |
| Comments | - |
| Type | Alert |
| MITRE ATT&CK | T1204 – User Execution, T1546 – Event Triggered Execution |
| ENTRA ID IDENTITY PROTECTION | |
|---|---|
| Description | This dashboard provides insight to Entra ID Entity Protection events. |
| Log source | Microsoft Graph |
| Value | Provides insight to the risk level from Defender for Entra ID. |
| Widgets / Use cases |
1. Detected Risks 2. Risk Level over Time 3. Risk Overview 4. Risk by Level 5. Risk by State 6. Risk by Activity 7. Risk by Detection Timing Type 8. Risk by Event Type 9. Risk by Geolocation 10. Top 10 Risky Users 11. Risky Users Overview 12. User Sign-in Risk Detail |
| Comments | - |
| Type | Dashboard |
