Vendor: Microsoft

August 30, 2023 · View on GitHub

Product: Azure

Rules	Models	MITRE ATT&CK® TTPs	Event Types	Parsers
879	208	141	29	29

Use-Case	Event Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	account-password-change ↳cef-microsoft-password-change app-activity ↳cef-microsoft-app-activity-13 ↳cef-microsoft-app-activity-44 ↳cef-microsoft-app-activity-43 ↳cef-microsoft-app-activity-38 ↳azure-eventhubbeat-app-activity-9 ↳azure-eventhubbeat-app-activity-8 ↳cef-azure-app-activity-5 ↳azure-eventhubbeat-app-activity-5 ↳azure-eventhubbeat-app-activity-4 ↳cef-azure-app-activity-3 ↳azure-eventhubbeat-app-activity-7 ↳cef-azure-app-activity-4 ↳azure-eventhubbeat-app-activity-6 ↳cef-azure-app-activity-1 ↳azure-app-activity-3 ↳cef-azure-app-activity-2 ↳azure-app-activity-2 ↳azure-app-activity-1 ↳azure-eventhubbeat-app-activity ↳azure-app-activity-8 ↳azure-app-activity-7 ↳azure-app-activity-6 ↳azure-app-activity-5 ↳azure-app-activity-4 ↳azure-eventhubbeat-app-activity-1 ↳ms-azure-eventhubs-app-activity ↳azure-eventhubbeat-app-activity-3 ↳azure-eventhubbeat-app-activity-2 ↳azure-event-hub-application-gateway-access-log app-login ↳cef-azure-app-login ↳azure-event-hub-app-service-audit-logs ↳s-azure-app-login ↳azure-event-hub-key-vault-auth ↳ms-azure-signin-app-login ↳ms-azure-eventhubs-login ↳cef-microsoft-app-login ↳azure-app-login authentication-failed ↳s-azure-authentication authentication-successful ↳s-azure-authentication cloud-admin-activity ↳s-azure-authorization-activity ↳s-azure-api-management ↳s-azure-authorization-activity-3 ↳s-azure-authorization-activity-2 ↳s-azure-managed-identity ↳s-azure-pim-activity ↳s-azure-core-directory ↳s-azure-container-service cloud-admin-activity-failed ↳s-azure-authorization-activity ↳s-azure-api-management ↳s-azure-authorization-activity-3 ↳s-azure-authorization-activity-2 ↳s-azure-managed-identity ↳s-azure-pim-activity ↳s-azure-core-directory failed-app-login ↳cef-azure-failed-app-login ↳s-azure-app-login ↳ms-azure-signin-app-login ↳ms-azure-eventhubs-login ↳cef-microsoft-failed-app-login member-added ↳azure-event-hub-member-added member-removed ↳azure-event-hub-member-removed ↳azure-ad-member-removed-1 remote-logon ↳cef-microsoft-remote-logon ↳azure-event-hub-remote-logon storage-access ↳s-azure-storage-access ↳json-azure-storage-access storage-activity ↳s-azure-storage-activity-2 ↳s-azure-storage-activity-3 ↳s-azure-storage-activity storage-activity-failed ↳s-azure-storage-activity-2 ↳s-azure-storage-activity-3 ↳s-azure-storage-activity	T1021 - Remote Services T1078 - Valid Accounts T1078.002 - T1078.002 T1078.003 - Valid Accounts: Local Accounts T1078.004 - Valid Accounts: Cloud Accounts T1133 - External Remote Services T1136.003 - Create Account: Create: Cloud Account T1530 - Data from Cloud Storage Object	53 Rules 23 Models
Account Manipulation	account-password-change ↳cef-microsoft-password-change app-activity ↳cef-microsoft-app-activity-13 ↳cef-microsoft-app-activity-44 ↳cef-microsoft-app-activity-43 ↳cef-microsoft-app-activity-38 ↳azure-eventhubbeat-app-activity-9 ↳azure-eventhubbeat-app-activity-8 ↳cef-azure-app-activity-5 ↳azure-eventhubbeat-app-activity-5 ↳azure-eventhubbeat-app-activity-4 ↳cef-azure-app-activity-3 ↳azure-eventhubbeat-app-activity-7 ↳cef-azure-app-activity-4 ↳azure-eventhubbeat-app-activity-6 ↳cef-azure-app-activity-1 ↳azure-app-activity-3 ↳cef-azure-app-activity-2 ↳azure-app-activity-2 ↳azure-app-activity-1 ↳azure-eventhubbeat-app-activity ↳azure-app-activity-8 ↳azure-app-activity-7 ↳azure-app-activity-6 ↳azure-app-activity-5 ↳azure-app-activity-4 ↳azure-eventhubbeat-app-activity-1 ↳ms-azure-eventhubs-app-activity ↳azure-eventhubbeat-app-activity-3 ↳azure-eventhubbeat-app-activity-2 ↳azure-event-hub-application-gateway-access-log cloud-admin-activity ↳s-azure-authorization-activity ↳s-azure-api-management ↳s-azure-authorization-activity-3 ↳s-azure-authorization-activity-2 ↳s-azure-managed-identity ↳s-azure-pim-activity ↳s-azure-core-directory ↳s-azure-container-service cloud-admin-activity-failed ↳s-azure-authorization-activity ↳s-azure-api-management ↳s-azure-authorization-activity-3 ↳s-azure-authorization-activity-2 ↳s-azure-managed-identity ↳s-azure-pim-activity ↳s-azure-core-directory member-added ↳azure-event-hub-member-added member-removed ↳azure-event-hub-member-removed ↳azure-ad-member-removed-1 process-created ↳azure-process-created-1 ↳azure-event-hub-process-events ↳azure-event-hub-process-events-1 storage-access ↳s-azure-storage-access ↳json-azure-storage-access storage-activity ↳s-azure-storage-activity-2 ↳s-azure-storage-activity-3 ↳s-azure-storage-activity storage-activity-failed ↳s-azure-storage-activity-2 ↳s-azure-storage-activity-3 ↳s-azure-storage-activity	T1003 - OS Credential Dumping T1003.003 - T1003.003 T1021.003 - T1021.003 T1059.001 - Command and Scripting Interperter: PowerShell T1059.003 - T1059.003 T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account T1136.001 - Create Account: Create: Local Account T1136.003 - Create Account: Create: Cloud Account T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1530 - Data from Cloud Storage Object T1531 - Account Access Removal T1559.002 - T1559.002	53 Rules 24 Models
Audit Tampering	process-created ↳azure-process-created-1 ↳azure-event-hub-process-events ↳azure-event-hub-process-events-1	T1059 - Command and Scripting Interperter T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1546.003 - T1546.003 T1562 - Impair Defenses T1562.006 - T1562.006	7 Rules
Cryptomining	process-created ↳azure-process-created-1 ↳azure-event-hub-process-events ↳azure-event-hub-process-events-1	T1496 - Resource Hijacking	2 Rules
Destruction of Data	file-delete ↳cef-microsoft-app-activity-13 ↳cef-microsoft-app-activity-44 ↳cef-microsoft-app-activity-43 ↳cef-microsoft-app-activity-38 ↳azure-event-hub-file-events	T1070.004 - Indicator Removal on Host: File Deletion T1485 - Data Destruction	1 Rules
Evasion	process-created ↳azure-process-created-1 ↳azure-event-hub-process-events ↳azure-event-hub-process-events-1	T1027 - Obfuscated Files or Information T1027.004 - Obfuscated Files or Information: Compile After Delivery T1036 - Masquerading T1036.003 - Masquerading: Rename System Utilities T1036.005 - Masquerading: Match Legitimate Name or Location T1059 - Command and Scripting Interperter T1059.001 - Command and Scripting Interperter: PowerShell T1059.005 - T1059.005 T1070 - Indicator Removal on Host T1070.001 - Indicator Removal on Host: Clear Windows Event Logs T1105 - Ingress Tool Transfer T1127.001 - Trusted Developer Utilities Proxy Execution: MSBuild T1140 - Deobfuscate/Decode Files or Information T1197 - BITS Jobs T1202 - Indirect Command Execution T1203 - Exploitation for Client Execution T1218 - Signed Binary Proxy Execution T1218.002 - Signed Binary Proxy Execution: Control Panel T1218.004 - Signed Binary Proxy Execution: InstallUtil T1218.008 - T1218.008 T1218.009 - Signed Binary Proxy Execution: Regsvcs/Regasm T1218.010 - Signed Binary Proxy Execution: Regsvr32 T1218.011 - Signed Binary Proxy Execution: Rundll32 T1484.001 - T1484.001 T1542.003 - T1542.003 T1543.003 - Create or Modify System Process: Windows Service T1552.006 - T1552.006 T1562 - Impair Defenses T1562.001 - T1562.001 T1562.004 - Impair Defenses: Disable or Modify System Firewall T1562.006 - T1562.006 T1564.001 - T1564.001 T1564.004 - Hide Artifacts: NTFS File Attributes T1574 - Hijack Execution Flow	77 Rules 3 Models
Phishing	process-created ↳azure-process-created-1 ↳azure-event-hub-process-events ↳azure-event-hub-process-events-1	T1566.001 - T1566.001	2 Rules
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Valid Accounts: Cloud Accounts Exploit Public Fasing Application Replication Through Removable Media Phishing	Windows Management Instrumentation Command and Scripting Interperter Scheduled Task/Job Inter-Process Communication System Services Exploitation for Client Execution User Execution Scheduled Task/Job: Scheduled Task Command and Scripting Interperter: PowerShell Software Deployment Tools Scheduled Task/Job: At (Windows)	Pre-OS Boot Create Account Create or Modify System Process External Remote Services Valid Accounts Hijack Execution Flow Server Software Component: Web Shell Account Manipulation BITS Jobs Create or Modify System Process: Windows Service Scheduled Task/Job Create Account: Create: Cloud Account Server Software Component Event Triggered Execution Boot or Logon Autostart Execution Create Account: Create: Local Account Account Manipulation: Exchange Email Delegate Permissions	Access Token Manipulation: Token Impersonation/Theft Create or Modify System Process Valid Accounts Access Token Manipulation Exploitation for Privilege Escalation Hijack Execution Flow Group Policy Modification Process Injection Scheduled Task/Job Abuse Elevation Control Mechanism Event Triggered Execution Boot or Logon Autostart Execution Process Injection: Dynamic-link Library Injection Abuse Elevation Control Mechanism: Bypass User Account Control	Hide Artifacts Indirect Command Execution Impair Defenses Indicator Removal on Host: Clear Windows Event Logs Group Policy Modification Trusted Developer Utilities Proxy Execution Masquerading: Match Legitimate Name or Location Masquerading: Rename System Utilities File and Directory Permissions Modification: Windows File and Directory Permissions Modification Obfuscated Files or Information: Compile After Delivery Obfuscated Files or Information: Indicator Removal from Tools Hijack Execution Flow: DLL Side-Loading Indicator Removal on Host: File Deletion Masquerading Valid Accounts Modify Registry BITS Jobs Use Alternate Authentication Material Hide Artifacts: NTFS File Attributes Use Alternate Authentication Material: Pass the Hash Indicator Removal on Host Use Alternate Authentication Material: Pass the Ticket Pre-OS Boot File and Directory Permissions Modification Deobfuscate/Decode Files or Information Abuse Elevation Control Mechanism Impair Defenses: Disable or Modify System Firewall Obfuscated Files or Information Signed Binary Proxy Execution: Compiled HTML File Access Token Manipulation Hijack Execution Flow Process Injection Valid Accounts: Local Accounts Signed Binary Proxy Execution: Msiexec Signed Binary Proxy Execution Signed Binary Proxy Execution: Regsvcs/Regasm Signed Binary Proxy Execution: CMSTP Signed Binary Proxy Execution: Control Panel Signed Binary Proxy Execution: InstallUtil Signed Binary Proxy Execution: Regsvr32 Trusted Developer Utilities Proxy Execution: MSBuild Signed Binary Proxy Execution: Rundll32	OS Credential Dumping Unsecured Credentials Steal or Forge Kerberos Tickets Credentials from Password Stores Steal or Forge Kerberos Tickets: Kerberoasting Network Sniffing	Account Discovery Domain Trust Discovery System Service Discovery System Network Connections Discovery Account Discovery: Local Account Account Discovery: Domain Account File and Directory Discovery Network Sniffing System Information Discovery Network Share Discovery Query Registry Process Discovery System Owner/User Discovery Software Discovery Remote System Discovery System Network Configuration Discovery	Exploitation of Remote Services Remote Service Session Hijacking Remote Services Remote Services: SMB/Windows Admin Shares Use Alternate Authentication Material Remote Services: Remote Desktop Protocol Software Deployment Tools Replication Through Removable Media	Screen Capture Data from Information Repositories Email Collection Audio Capture Data from Cloud Storage Object Archive Collected Data Email Collection: Email Forwarding Rule	Protocol Tunneling Application Layer Protocol: DNS Application Layer Protocol: File Transfer Protocols Application Layer Protocol: Web Protocols Remote Access Software Dynamic Resolution Ingress Tool Transfer Dynamic Resolution: Domain Generation Algorithms Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Physical Medium: Exfiltration over USB Exfiltration Over C2 Channel Exfiltration Over Physical Medium	Account Access Removal Data Destruction Resource Hijacking Data Encrypted for Impact Inhibit System Recovery