2_ds_microsoft_microsoft_cas.md

April 15, 2026 · View on GitHub

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Compromised Credentials	app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description authentication-successful ↳microsoft-azure-cef-app-authentication-credentialsvalidation azure-keyvault-read ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-azure-sk4-app-activity-userupdate failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin file-delete ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive file-read ↳microsoft-azure-cef-app-file-success-ldapquery file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive security-alert ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry	T1003 - OS Credential Dumping T1003.001 - T1003.001 T1003.002 - T1003.002 T1003.003 - T1003.003 T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1078.004 - Valid Accounts: Cloud Accounts T1083 - File and Directory Discovery T1133 - External Remote Services T1190 - Exploit Public Fasing Application	101 Rules 50 Models
Data Access	app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin file-delete ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive file-read ↳microsoft-azure-cef-app-file-success-ldapquery file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1078 - Valid Accounts T1083 - File and Directory Discovery	44 Rules 24 Models
Data Exfiltration	dlp-alert ↳microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1020 - Automated Exfiltration T1071 - Application Layer Protocol TA0002 - TA0002 TA0010 - TA0010	31 Rules 18 Models
Data Leak	app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive dlp-alert ↳microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile dlp-email-alert-out ↳microsoft-o365-json-email-send-success-send file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1020 - Automated Exfiltration T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol T1071 - Application Layer Protocol T1114 - Email Collection T1114.001 - T1114.001 T1114.003 - Email Collection: Email Forwarding Rule TA0010 - TA0010	65 Rules 32 Models
Lateral Movement	app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description authentication-successful ↳microsoft-azure-cef-app-authentication-credentialsvalidation failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin security-alert ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry	T1027 - Obfuscated Files or Information T1027.005 - Obfuscated Files or Information: Indicator Removal from Tools T1078 - Valid Accounts T1090 - Proxy T1090.003 - Proxy: Multi-hop Proxy	4 Rules
Malware	app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description authentication-successful ↳microsoft-azure-cef-app-authentication-credentialsvalidation dlp-alert ↳microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabineteventmatchfile dlp-email-alert-out ↳microsoft-o365-json-email-send-success-send file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive security-alert ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry	T1003 - OS Credential Dumping T1003.002 - T1003.002 T1078 - Valid Accounts T1190 - Exploit Public Fasing Application T1505 - Server Software Component T1505.003 - Server Software Component: Web Shell T1547 - Boot or Logon Autostart Execution T1547.001 - T1547.001 TA0002 - TA0002	14 Rules 5 Models
Privilege Abuse	account-password-change ↳microsoft-mcas-cef-user-password-modify-success-changepassword ↳microsoft-azure-cef-user-password-modify-success-pwdchanged account-password-reset ↳microsoft-mcas-cef-user-password-reset-success-resetpassword app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive app-activity-failed ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description dlp-email-alert-out ↳microsoft-o365-json-email-send-success-send failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin file-delete ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive file-download ↳microsoft-azure-cef-app-file-success-ldapquery file-read ↳microsoft-azure-cef-app-file-success-ldapquery file-upload ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-upload-success-appidonedrive file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive member-added ↳microsoft-mcas-cef-file-write-success-appidonedrive member-removed ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1078 - Valid Accounts T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account	32 Rules 14 Models
Privilege Escalation	app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions	3 Rules 1 Models
Privileged Activity	app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive app-activity-failed ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description dlp-email-alert-out ↳microsoft-o365-json-email-send-success-send failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin file-delete ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive file-download ↳microsoft-azure-cef-app-file-success-ldapquery file-read ↳microsoft-azure-cef-app-file-success-ldapquery file-upload ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-upload-success-appidonedrive file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive security-alert ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalerts ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-mcasalertexfiltrationdiscoveryanomalydetection ↳microsoft-mcas-cef-alert-trigger-success-siemagent ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry ↳microsoft-mcas-json-alert-trigger-success-failedloginattempt ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionvelocity ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetection ↳microsoft-mcas-json-alert-trigger-success-anomalydetection ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionrepeatedactivitydelete ↳microsoft-mcas-sk4-alert-trigger-success-cabineteventmatchfile ↳microsoft-mcas-json-alert-trigger-success-alertcabinet ↳microsoft-mcas-json-alert-trigger-success-alertanubisdetectionnewcountry	T1068 - Exploitation for Privilege Escalation T1078 - Valid Accounts	4 Rules 1 Models
Ransomware	app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description authentication-successful ↳microsoft-azure-cef-app-authentication-credentialsvalidation failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin file-write ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1078 - Valid Accounts T1486 - Data Encrypted for Impact	3 Rules