Skip to content

Latest commit

 

History

History
11 lines (11 loc) · 48.5 KB

2_ds_microsoft_microsoft_cas.md

File metadata and controls

11 lines (11 loc) · 48.5 KB
Raw
Use-Case Activity Type (Legacy Event Type)/Parsers MITRE ATT&CK® TTP Content
Compromised Credentials scheduled_task-trigger:success (app-activity)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate
microsoft-mcas-cef-app-activity-success-resolvealert
microsoft-mcas-cef-app-activity-success-updateserviceprincipal
microsoft-mcas-cef-app-activity-success-addpermissiontomailbox
microsoft-mcas-cef-app-activity-success-addmembertogroup
microsoft-mcas-cef-app-activity-success-accessfolder
microsoft-mcas-cef-app-activity-success-msgdelete
microsoft-mcas-cef-app-activity-success-msgsend-1
microsoft-mcas-cef-app-activity-success-agentusercreate
microsoft-mcas-cef-app-activity-success-folderdelete
microsoft-mcas-cef-app-activity-success-msgsend
microsoft-mcas-cef-app-activity-success-foldercreate
microsoft-mcas-cef-app-activity-success-msgupdate
microsoft-mcas-cef-app-activity-success-updateuser
microsoft-mcas-cef-app-activity-success-changeuserlicense
microsoft-mcas-cef-app-activity-success-msgupdate-1
microsoft-mcas-cef-app-activity-success-addmembertorole
microsoft-mcas-cef-app-activity-success-alertdismiss
microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder
microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity
microsoft-mcas-cef-app-activity-success-commandrun
microsoft-mcas-cef-app-activity-success-impersonated
microsoft-mcas-cef-app-activity-success-suspiciousemail
microsoft-mcas-cef-app-activity-success-itemcreate
microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty
microsoft-mcas-cef-app-activity-success-folderrename
microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder
microsoft-mcas-cef-app-activity-success-msgpurge
microsoft-mcas-cef-app-activity-success-groupsettingchange
microsoft-mcas-cef-app-activity-success-foldermove
microsoft-mcas-cef-app-activity-success-msgdelete-1
microsoft-mcas-cef-app-activity-success-setcompanyinfo

app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

app-login:fail (failed-app-login)
microsoft-azure-cef-app-login-fail-dest
microsoft-mcas-cef-app-login-eventcategorylogin

file-delete:success (file-delete)
microsoft-azure-cef-app-file-success-ldapquery

file-read:success (file-read)
microsoft-azure-cef-app-file-success-ldapquery

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive

alert-trigger:success (security-alert)
microsoft-mcas-json-alert-trigger-success-mcasalerts
microsoft-mcas-json-alert-trigger-success-riskysignin
microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection
microsoft-mcas-cef-alert-trigger-success-siemagent
microsoft-mcas-json-alert-trigger-success-anomalydetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete
microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile
microsoft-mcas-json-alert-trigger-success-velocity
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry
microsoft-mcas-json-alert-trigger-success-ransomware
microsoft-mcas-json-alert-trigger-success-failedloginattempt
microsoft-mcas-json-alert-trigger-success-emaildetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity
microsoft-mcas-json-alert-trigger-success-cabinetapppermission
microsoft-mcas-json-alert-trigger-success-alertanubisdetection
microsoft-mcas-json-alert-trigger-success-riskyipanonymous
microsoft-mcas-json-alert-trigger-success-managementgeneric
microsoft-mcas-json-alert-trigger-success-alertcabinet
microsoft-mcas-json-alert-trigger-success-download
 T1003 - OS Credential Dumping
T1003.001 - T1003.001
T1003.002 - T1003.002
T1003.003 - T1003.003
T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1083 - File and Directory Discovery
T1133 - External Remote Services
T1190 - Exploit Public Fasing Application
  • 98 Rules
  • 47 Models
Data Access scheduled_task-trigger:success (app-activity)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate
microsoft-mcas-cef-app-activity-success-resolvealert
microsoft-mcas-cef-app-activity-success-updateserviceprincipal
microsoft-mcas-cef-app-activity-success-addpermissiontomailbox
microsoft-mcas-cef-app-activity-success-addmembertogroup
microsoft-mcas-cef-app-activity-success-accessfolder
microsoft-mcas-cef-app-activity-success-msgdelete
microsoft-mcas-cef-app-activity-success-msgsend-1
microsoft-mcas-cef-app-activity-success-agentusercreate
microsoft-mcas-cef-app-activity-success-folderdelete
microsoft-mcas-cef-app-activity-success-msgsend
microsoft-mcas-cef-app-activity-success-foldercreate
microsoft-mcas-cef-app-activity-success-msgupdate
microsoft-mcas-cef-app-activity-success-updateuser
microsoft-mcas-cef-app-activity-success-changeuserlicense
microsoft-mcas-cef-app-activity-success-msgupdate-1
microsoft-mcas-cef-app-activity-success-addmembertorole
microsoft-mcas-cef-app-activity-success-alertdismiss
microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder
microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity
microsoft-mcas-cef-app-activity-success-commandrun
microsoft-mcas-cef-app-activity-success-impersonated
microsoft-mcas-cef-app-activity-success-suspiciousemail
microsoft-mcas-cef-app-activity-success-itemcreate
microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty
microsoft-mcas-cef-app-activity-success-folderrename
microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder
microsoft-mcas-cef-app-activity-success-msgpurge
microsoft-mcas-cef-app-activity-success-groupsettingchange
microsoft-mcas-cef-app-activity-success-foldermove
microsoft-mcas-cef-app-activity-success-msgdelete-1
microsoft-mcas-cef-app-activity-success-setcompanyinfo

app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

app-login:fail (failed-app-login)
microsoft-azure-cef-app-login-fail-dest
microsoft-mcas-cef-app-login-eventcategorylogin

file-delete:success (file-delete)
microsoft-azure-cef-app-file-success-ldapquery

file-read:success (file-read)
microsoft-azure-cef-app-file-success-ldapquery

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive
 T1078 - Valid Accounts
T1083 - File and Directory Discovery
  • 44 Rules
  • 24 Models
Data Leak scheduled_task-trigger:success (app-activity)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate
microsoft-mcas-cef-app-activity-success-resolvealert
microsoft-mcas-cef-app-activity-success-updateserviceprincipal
microsoft-mcas-cef-app-activity-success-addpermissiontomailbox
microsoft-mcas-cef-app-activity-success-addmembertogroup
microsoft-mcas-cef-app-activity-success-accessfolder
microsoft-mcas-cef-app-activity-success-msgdelete
microsoft-mcas-cef-app-activity-success-msgsend-1
microsoft-mcas-cef-app-activity-success-agentusercreate
microsoft-mcas-cef-app-activity-success-folderdelete
microsoft-mcas-cef-app-activity-success-msgsend
microsoft-mcas-cef-app-activity-success-foldercreate
microsoft-mcas-cef-app-activity-success-msgupdate
microsoft-mcas-cef-app-activity-success-updateuser
microsoft-mcas-cef-app-activity-success-changeuserlicense
microsoft-mcas-cef-app-activity-success-msgupdate-1
microsoft-mcas-cef-app-activity-success-addmembertorole
microsoft-mcas-cef-app-activity-success-alertdismiss
microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder
microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity
microsoft-mcas-cef-app-activity-success-commandrun
microsoft-mcas-cef-app-activity-success-impersonated
microsoft-mcas-cef-app-activity-success-suspiciousemail
microsoft-mcas-cef-app-activity-success-itemcreate
microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty
microsoft-mcas-cef-app-activity-success-folderrename
microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder
microsoft-mcas-cef-app-activity-success-msgpurge
microsoft-mcas-cef-app-activity-success-groupsettingchange
microsoft-mcas-cef-app-activity-success-foldermove
microsoft-mcas-cef-app-activity-success-msgdelete-1
microsoft-mcas-cef-app-activity-success-setcompanyinfo

alert-trigger:success (dlp-alert)
microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile

email-send:success (dlp-email-alert-out)
microsoft-o365-json-email-send-success-send

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive
 T1020 - Automated Exfiltration
T1048 - Exfiltration Over Alternative Protocol
T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol
T1071 - Application Layer Protocol
T1114 - Email Collection
T1114.001 - T1114.001
T1114.003 - Email Collection: Email Forwarding Rule
TA0010 - TA0010
  • 65 Rules
  • 32 Models
Lateral Movement app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

app-login:fail (failed-app-login)
microsoft-azure-cef-app-login-fail-dest
microsoft-mcas-cef-app-login-eventcategorylogin

alert-trigger:success (security-alert)
microsoft-mcas-json-alert-trigger-success-mcasalerts
microsoft-mcas-json-alert-trigger-success-riskysignin
microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection
microsoft-mcas-cef-alert-trigger-success-siemagent
microsoft-mcas-json-alert-trigger-success-anomalydetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete
microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile
microsoft-mcas-json-alert-trigger-success-velocity
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry
microsoft-mcas-json-alert-trigger-success-ransomware
microsoft-mcas-json-alert-trigger-success-failedloginattempt
microsoft-mcas-json-alert-trigger-success-emaildetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity
microsoft-mcas-json-alert-trigger-success-cabinetapppermission
microsoft-mcas-json-alert-trigger-success-alertanubisdetection
microsoft-mcas-json-alert-trigger-success-riskyipanonymous
microsoft-mcas-json-alert-trigger-success-managementgeneric
microsoft-mcas-json-alert-trigger-success-alertcabinet
microsoft-mcas-json-alert-trigger-success-download
 T1027 - Obfuscated Files or Information
T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools
T1078 - Valid Accounts
T1090 - Proxy
T1090.003 - Proxy: Multi-hop Proxy
  • 4 Rules
Malware app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

alert-trigger:success (dlp-alert)
microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile

email-receive:success (dlp-email-alert-in)
microsoft-o365-json-email-send-success-send

email-send:success (dlp-email-alert-out)
microsoft-o365-json-email-send-success-send

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive

alert-trigger:success (security-alert)
microsoft-mcas-json-alert-trigger-success-mcasalerts
microsoft-mcas-json-alert-trigger-success-riskysignin
microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection
microsoft-mcas-cef-alert-trigger-success-siemagent
microsoft-mcas-json-alert-trigger-success-anomalydetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete
microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile
microsoft-mcas-json-alert-trigger-success-velocity
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry
microsoft-mcas-json-alert-trigger-success-ransomware
microsoft-mcas-json-alert-trigger-success-failedloginattempt
microsoft-mcas-json-alert-trigger-success-emaildetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity
microsoft-mcas-json-alert-trigger-success-cabinetapppermission
microsoft-mcas-json-alert-trigger-success-alertanubisdetection
microsoft-mcas-json-alert-trigger-success-riskyipanonymous
microsoft-mcas-json-alert-trigger-success-managementgeneric
microsoft-mcas-json-alert-trigger-success-alertcabinet
microsoft-mcas-json-alert-trigger-success-download
 T1003 - OS Credential Dumping
T1003.002 - T1003.002
T1078 - Valid Accounts
T1190 - Exploit Public Fasing Application
T1505 - Server Software Component
T1505.003 - Server Software Component: Web Shell
T1547 - Boot or Logon Autostart Execution
T1547.001 - T1547.001
TA0002 - TA0002
  • 14 Rules
  • 5 Models
Privilege Abuse user-password-modify:success (account-password-change)
microsoft-mcas-cef-user-password-modify-success-changepassword
microsoft-azure-cef-user-password-modify-success-pwdchanged

scheduled_task-trigger:success (app-activity)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate
microsoft-mcas-cef-app-activity-success-resolvealert
microsoft-mcas-cef-app-activity-success-updateserviceprincipal
microsoft-mcas-cef-app-activity-success-addpermissiontomailbox
microsoft-mcas-cef-app-activity-success-addmembertogroup
microsoft-mcas-cef-app-activity-success-accessfolder
microsoft-mcas-cef-app-activity-success-msgdelete
microsoft-mcas-cef-app-activity-success-msgsend-1
microsoft-mcas-cef-app-activity-success-agentusercreate
microsoft-mcas-cef-app-activity-success-folderdelete
microsoft-mcas-cef-app-activity-success-msgsend
microsoft-mcas-cef-app-activity-success-foldercreate
microsoft-mcas-cef-app-activity-success-msgupdate
microsoft-mcas-cef-app-activity-success-updateuser
microsoft-mcas-cef-app-activity-success-changeuserlicense
microsoft-mcas-cef-app-activity-success-msgupdate-1
microsoft-mcas-cef-app-activity-success-addmembertorole
microsoft-mcas-cef-app-activity-success-alertdismiss
microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder
microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity
microsoft-mcas-cef-app-activity-success-commandrun
microsoft-mcas-cef-app-activity-success-impersonated
microsoft-mcas-cef-app-activity-success-suspiciousemail
microsoft-mcas-cef-app-activity-success-itemcreate
microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty
microsoft-mcas-cef-app-activity-success-folderrename
microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder
microsoft-mcas-cef-app-activity-success-msgpurge
microsoft-mcas-cef-app-activity-success-groupsettingchange
microsoft-mcas-cef-app-activity-success-foldermove
microsoft-mcas-cef-app-activity-success-msgdelete-1
microsoft-mcas-cef-app-activity-success-setcompanyinfo

app-activity:fail (app-activity-failed)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate

app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

email-receive:success (dlp-email-alert-in)
microsoft-o365-json-email-send-success-send

email-send:success (dlp-email-alert-out)
microsoft-o365-json-email-send-success-send

app-login:fail (failed-app-login)
microsoft-azure-cef-app-login-fail-dest
microsoft-mcas-cef-app-login-eventcategorylogin

file-delete:success (file-delete)
microsoft-azure-cef-app-file-success-ldapquery

file-download:success (file-download)
microsoft-azure-cef-app-file-success-ldapquery

file-read:success (file-read)
microsoft-azure-cef-app-file-success-ldapquery

file-upload:success (file-upload)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-upload-success-appidonedrive

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive
 T1078 - Valid Accounts
T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 8 Rules
  • 2 Models
Privilege Escalation scheduled_task-trigger:success (app-activity)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate
microsoft-mcas-cef-app-activity-success-resolvealert
microsoft-mcas-cef-app-activity-success-updateserviceprincipal
microsoft-mcas-cef-app-activity-success-addpermissiontomailbox
microsoft-mcas-cef-app-activity-success-addmembertogroup
microsoft-mcas-cef-app-activity-success-accessfolder
microsoft-mcas-cef-app-activity-success-msgdelete
microsoft-mcas-cef-app-activity-success-msgsend-1
microsoft-mcas-cef-app-activity-success-agentusercreate
microsoft-mcas-cef-app-activity-success-folderdelete
microsoft-mcas-cef-app-activity-success-msgsend
microsoft-mcas-cef-app-activity-success-foldercreate
microsoft-mcas-cef-app-activity-success-msgupdate
microsoft-mcas-cef-app-activity-success-updateuser
microsoft-mcas-cef-app-activity-success-changeuserlicense
microsoft-mcas-cef-app-activity-success-msgupdate-1
microsoft-mcas-cef-app-activity-success-addmembertorole
microsoft-mcas-cef-app-activity-success-alertdismiss
microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder
microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity
microsoft-mcas-cef-app-activity-success-commandrun
microsoft-mcas-cef-app-activity-success-impersonated
microsoft-mcas-cef-app-activity-success-suspiciousemail
microsoft-mcas-cef-app-activity-success-itemcreate
microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty
microsoft-mcas-cef-app-activity-success-folderrename
microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder
microsoft-mcas-cef-app-activity-success-msgpurge
microsoft-mcas-cef-app-activity-success-groupsettingchange
microsoft-mcas-cef-app-activity-success-foldermove
microsoft-mcas-cef-app-activity-success-msgdelete-1
microsoft-mcas-cef-app-activity-success-setcompanyinfo
 T1098 - Account Manipulation
T1098.002 - Account Manipulation: Exchange Email Delegate Permissions
  • 3 Rules
  • 1 Models
Privileged Activity scheduled_task-trigger:success (app-activity)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate
microsoft-mcas-cef-app-activity-success-resolvealert
microsoft-mcas-cef-app-activity-success-updateserviceprincipal
microsoft-mcas-cef-app-activity-success-addpermissiontomailbox
microsoft-mcas-cef-app-activity-success-addmembertogroup
microsoft-mcas-cef-app-activity-success-accessfolder
microsoft-mcas-cef-app-activity-success-msgdelete
microsoft-mcas-cef-app-activity-success-msgsend-1
microsoft-mcas-cef-app-activity-success-agentusercreate
microsoft-mcas-cef-app-activity-success-folderdelete
microsoft-mcas-cef-app-activity-success-msgsend
microsoft-mcas-cef-app-activity-success-foldercreate
microsoft-mcas-cef-app-activity-success-msgupdate
microsoft-mcas-cef-app-activity-success-updateuser
microsoft-mcas-cef-app-activity-success-changeuserlicense
microsoft-mcas-cef-app-activity-success-msgupdate-1
microsoft-mcas-cef-app-activity-success-addmembertorole
microsoft-mcas-cef-app-activity-success-alertdismiss
microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder
microsoft-mcas-cef-app-activity-success-skyprforbuisnessactivity
microsoft-mcas-cef-app-activity-success-commandrun
microsoft-mcas-cef-app-activity-success-impersonated
microsoft-mcas-cef-app-activity-success-suspiciousemail
microsoft-mcas-cef-app-activity-success-itemcreate
microsoft-mcas-cef-app-activity-success-grantconsoleforthirdparty
microsoft-mcas-cef-app-activity-success-folderrename
microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder
microsoft-mcas-cef-app-activity-success-msgpurge
microsoft-mcas-cef-app-activity-success-groupsettingchange
microsoft-mcas-cef-app-activity-success-foldermove
microsoft-mcas-cef-app-activity-success-msgdelete-1
microsoft-mcas-cef-app-activity-success-setcompanyinfo

app-activity:fail (app-activity-failed)
microsoft-exchange-cef-app-activity-exchangeonline
microsoft-exchange-cef-app-activity-newmailbox
microsoft-azure-cef-app-file-success-ldapquery
microsoft-azure-sk4-app-activity-userupdate

app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

email-receive:success (dlp-email-alert-in)
microsoft-o365-json-email-send-success-send

email-send:success (dlp-email-alert-out)
microsoft-o365-json-email-send-success-send

app-login:fail (failed-app-login)
microsoft-azure-cef-app-login-fail-dest
microsoft-mcas-cef-app-login-eventcategorylogin

file-delete:success (file-delete)
microsoft-azure-cef-app-file-success-ldapquery

file-download:success (file-download)
microsoft-azure-cef-app-file-success-ldapquery

file-read:success (file-read)
microsoft-azure-cef-app-file-success-ldapquery

file-upload:success (file-upload)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-upload-success-appidonedrive

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive

alert-trigger:success (security-alert)
microsoft-mcas-json-alert-trigger-success-mcasalerts
microsoft-mcas-json-alert-trigger-success-riskysignin
microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection
microsoft-mcas-cef-alert-trigger-success-siemagent
microsoft-mcas-json-alert-trigger-success-anomalydetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete
microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile
microsoft-mcas-json-alert-trigger-success-velocity
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry
microsoft-mcas-json-alert-trigger-success-ransomware
microsoft-mcas-json-alert-trigger-success-failedloginattempt
microsoft-mcas-json-alert-trigger-success-emaildetection
microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity
microsoft-mcas-json-alert-trigger-success-cabinetapppermission
microsoft-mcas-json-alert-trigger-success-alertanubisdetection
microsoft-mcas-json-alert-trigger-success-riskyipanonymous
microsoft-mcas-json-alert-trigger-success-managementgeneric
microsoft-mcas-json-alert-trigger-success-alertcabinet
microsoft-mcas-json-alert-trigger-success-download
 T1068 - Exploitation for Privilege Escalation
T1078 - Valid Accounts
  • 4 Rules
  • 1 Models
Ransomware app-login:success (app-login)
microsoft-mcas-cef-app-login-eventcategorylogin
microsoft-azure-cef-app-login-success-description

app-login:fail (failed-app-login)
microsoft-azure-cef-app-login-fail-dest
microsoft-mcas-cef-app-login-eventcategorylogin

file-write:success (file-write)
microsoft-azure-cef-app-file-success-ldapquery
microsoft-mcas-cef-file-write-success-appidonedrive
 T1078 - Valid Accounts
T1486 - Data Encrypted for Impact
  • 3 Rules