2_ds_microsoft_azure.md

May 13, 2026 · View on GitHub

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup ↳microsoft-azure-sk4-app-activity-addmembertorole azure-keyvault-read ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup	T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1133 - External Remote Services	42 Rules 27 Models
Privilege Abuse	app-activity ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup ↳microsoft-azure-sk4-app-activity-addmembertorole app-activity-failed ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup ↳microsoft-azure-sk4-app-activity-addmembertorole	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	6 Rules 2 Models
Privileged Activity	app-activity ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup ↳microsoft-azure-sk4-app-activity-addmembertorole app-activity-failed ↳microsoft-azure-sk4-app-activity-adduser ↳microsoft-azure-sk4-app-activity-addmembertorole ↳microsoft-azuremon-sk4-app-activity-success-updategroup ↳microsoft-azure-sk4-app-activity-addmembertorole	T1078 - Valid Accounts	2 Rules 1 Models