Vendor: Microsoft

April 15, 2026 · View on GitHub

Product: Microsoft CAS

Rules	Models	MITRE ATT&CK® TTPs	Activity Types	Parsers
234	102	34	18	45

Use-Case	Activity Types/Parsers	MITRE ATT&CK® TTP	Content
Abnormal Authentication & Access	account-password-change ↳microsoft-mcas-cef-user-password-modify-success-changepassword ↳microsoft-azure-cef-user-password-modify-success-pwdchanged account-password-reset ↳microsoft-mcas-cef-user-password-reset-success-resetpassword app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive app-login ↳microsoft-mcas-cef-app-login-eventcategorylogin ↳microsoft-azure-cef-app-login-success-description authentication-successful ↳microsoft-azure-cef-app-authentication-credentialsvalidation failed-app-login ↳microsoft-azure-cef-app-login-fail-dest ↳microsoft-mcas-cef-app-login-eventcategorylogin member-added ↳microsoft-mcas-cef-file-write-success-appidonedrive member-removed ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1078 - Valid Accounts T1133 - External Remote Services	15 Rules 4 Models
Account Manipulation	account-password-change ↳microsoft-mcas-cef-user-password-modify-success-changepassword ↳microsoft-azure-cef-user-password-modify-success-pwdchanged account-password-reset ↳microsoft-mcas-cef-user-password-reset-success-resetpassword app-activity ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-azure-sk4-app-activity-userupdate ↳microsoft-mcas-cef-app-activity-success-updateserviceprincipal ↳microsoft-mcas-cef-app-activity-success-addpermissiontomailbox ↳microsoft-mcas-cef-app-activity-success-addmembertogroup ↳microsoft-mcas-cef-app-activity-success-accessfolder ↳microsoft-mcas-cef-app-activity-success-msgdelete ↳microsoft-mcas-cef-app-activity-success-msgsend-1 ↳microsoft-mcas-cef-app-activity-success-agentusercreate ↳microsoft-mcas-cef-app-activity-success-folderdelete ↳microsoft-mcas-cef-app-activity-success-msgsend ↳microsoft-mcas-cef-app-activity-success-foldercreate ↳microsoft-mcas-cef-app-activity-success-msgupdate ↳microsoft-mcas-cef-app-activity-success-updateuser ↳microsoft-mcas-cef-app-activity-success-changeuserlicense ↳microsoft-mcas-cef-app-activity-success-msgupdate-1 ↳microsoft-mcas-cef-app-activity-success-addmembertorole ↳microsoft-mcas-cef-app-activity-success-movemsgtoanotherfolder ↳microsoft-mcas-cef-app-activity-success-commandrun ↳microsoft-mcas-cef-app-activity-success-impersonated ↳microsoft-mcas-cef-app-activity-success-suspiciousemail ↳microsoft-mcas-cef-app-activity-success-itemcreate ↳microsoft-mcas-cef-app-activity-success-folderrename ↳microsoft-mcas-cef-app-activity-success-movemsgtodeletedfolder ↳microsoft-mcas-cef-app-activity-success-msgpurge ↳microsoft-mcas-cef-app-activity-success-groupsettingchange ↳microsoft-mcas-cef-app-activity-success-foldermove ↳microsoft-mcas-cef-app-activity-success-msgdelete-1 ↳microsoft-mcas-cef-app-activity-success-setcompanyinfo ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive ↳microsoft-mcas-cef-file-write-success-appidonedrive member-added ↳microsoft-mcas-cef-file-write-success-appidonedrive member-removed ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1098 - Account Manipulation T1098.002 - Account Manipulation: Exchange Email Delegate Permissions T1136 - Create Account	28 Rules 13 Models
Destruction of Data	file-delete ↳microsoft-azure-cef-app-file-success-ldapquery ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-app-activity-success-catchall ↳microsoft-mcas-cef-file-write-success-appidonedrive	T1070 - Indicator Removal on Host T1070.004 - Indicator Removal on Host: File Deletion T1485 - Data Destruction	1 Rules
Phishing	dlp-email-alert-out ↳microsoft-o365-json-email-send-success-send	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	1 Rules 1 Models
Workforce Protection	dlp-email-alert-out ↳microsoft-o365-json-email-send-success-send	T1048 - Exfiltration Over Alternative Protocol T1048.003 - Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol	4 Rules 1 Models
Next Page -->>

MITRE ATT&CK® Framework for Enterprise

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
External Remote Services Valid Accounts Valid Accounts: Cloud Accounts Exploit Public Fasing Application		Create Account External Remote Services Valid Accounts Server Software Component: Web Shell Account Manipulation Server Software Component Boot or Logon Autostart Execution Account Manipulation: Exchange Email Delegate Permissions	Valid Accounts Exploitation for Privilege Escalation Boot or Logon Autostart Execution	Obfuscated Files or Information: Indicator Removal from Tools Indicator Removal on Host: File Deletion Valid Accounts Indicator Removal on Host Obfuscated Files or Information	OS Credential Dumping	File and Directory Discovery		Email Collection Email Collection: Email Forwarding Rule	Proxy: Multi-hop Proxy Application Layer Protocol Proxy	Exfiltration Over Alternative Protocol Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol Automated Exfiltration	Data Destruction Data Encrypted for Impact