Azure

A high volume of failed Microsoft Entra ID sign-in attempts resulting in account lockouts indicates potential brute-force attacks, such as password spraying or credential stuffing, targeting user accounts.

CVE-2026-32168 is an improper input validation vulnerability in Azure Monitor Agent that allows a locally authorized attacker to elevate privileges.

CVE-2026-32192 allows a locally authorized attacker to escalate privileges on a host running the Azure Monitor Agent via deserialization of untrusted data.

Detects suspicious OAuth 2.0 token requests where the Microsoft Authentication Broker requests access to the Device Registration Service on behalf of a user principal, potentially indicating an attempt to abuse device registration for unauthorized persistence.

Detects a service principal authenticating to Azure AD followed by listing credentials for an Azure Arc-connected Kubernetes cluster, indicating potential adversary activity with stolen service principal secrets to establish a proxy tunnel into Kubernetes clusters.

CVE-2026-33105 is a critical vulnerability in Microsoft Azure Kubernetes Service that allows an unauthorized attacker to elevate privileges over a network due to improper authorization.

A server-side request forgery (SSRF) vulnerability, identified as CVE-2026-33107, exists in Azure Databricks, allowing an unauthorized attacker to elevate privileges over a network.

An improper authentication vulnerability (CVE-2026-32173) in the Azure SRE Agent allows an unauthorized attacker to disclose sensitive information over the network, potentially leading to data breaches or further compromise.

CVE-2026-32211 is a critical vulnerability in Azure MCP Server due to missing authentication for a critical function, allowing an unauthorized attacker to disclose information over the network.

A machine learning job detected Azure Activity Logs activity that, while not inherently suspicious or abnormal, is sourcing from a geolocation (city) that is unusual for the event action, indicating potential compromised credentials.

Modification of the issuer URL of a federated identity credential in Entra ID can allow an attacker to authenticate as the application's service principal, granting persistent access to Azure resources by pointing to an attacker-controlled identity provider and bypassing normal authentication.

Detects a service principal authenticating to Microsoft Entra ID and then listing credentials for an Azure Arc-connected Kubernetes cluster within a short time window, indicating potential unauthorized access to Kubernetes clusters via stolen service principal secrets.

An unauthorized actor modifies an Azure Conditional Access policy, potentially leading to privilege escalation, credential access, persistence, or defense impairment.

Enabling certificate-based authentication (CBA) in Azure Active Directory can be abused by attackers to establish persistence, escalate privileges, and impair defenses.

A suspicious browser activity alert indicates anomalous behavior based on suspicious sign-in activity across multiple tenants from different countries in the same browser, potentially indicating compromised credentials or other malicious activity.

An attacker may modify or delete Azure Firewall rule collections (Application, NAT, and Network) to impair defenses and potentially enable malicious traffic.

This alert detects Azure AD sign-ins with properties unfamiliar to the user, indicating potential account compromise or unauthorized access.

Monitoring changes to the device registration policy can detect potential privilege escalation or defense impairment attempts by malicious actors aiming to weaken security controls related to device management in Azure Active Directory.

A threat actor can create a new, rogue AD Health ADFS service within Azure and then create a fake server instance, which can be leveraged to spoof AD FS signing logs without compromising on-prem AD FS servers.

An attacker may add an authentication method to a compromised Azure account for persistent access, which can be detected by monitoring changes to authentication methods in Azure audit logs.

Detection of unauthorized access or privilege escalation attempts within Azure environments due to invalid or missing Microsoft Entra Premium P2 or Microsoft Entra ID Governance licenses for Privileged Identity Management (PIM).

Adversaries may delete events in Azure Kubernetes to evade detection, which this rule detects via the MICROSOFT.KUBERNETES/CONNECTEDCLUSTERS/EVENTS.K8S.IO/EVENTS/DELETE operation.

An unauthorized actor removes a Conditional Access policy in Azure, potentially weakening the organization's security posture and enabling privilege escalation or credential access.

Detection of stale accounts in Azure Privileged Identity Management (PIM) through the 'staleSignInAlertIncident' event, indicating potential compromised or unused privileged accounts.

An Azure firewall was created, modified, or deleted, potentially indicating malicious activity aimed at impairing network defenses.

An adversary with sufficient privileges in Azure Active Directory may attempt to retrieve BitLocker keys to decrypt drives for lateral movement or data exfiltration.

Detection of Azure Privileged Identity Management (PIM) elevation approvals or denials, which, if unexpected, may indicate unauthorized privilege escalation or malicious activity within an Azure environment.

Detection of Azure Privileged Identity Management (PIM) roles being activated without requiring multi-factor authentication, potentially leading to unauthorized privilege escalation and persistence.

Detection of configuration changes to an application's AppID URI in Azure, potentially indicating malicious activity related to initial access, persistence, credential access, privilege escalation, or stealth.

An adversary can exploit Kubernetes Admission Controllers in Azure to achieve persistence, privilege escalation, or credential access by manipulating webhook configurations.

This alert identifies when an application is deleted within an Azure environment, which could indicate malicious activity or unintended misconfiguration leading to service disruption.

Detects when a user successfully resets their own password in Azure Active Directory, which may indicate malicious activity or account compromise.

An adversary may convert a guest user account to a member account in Azure Active Directory to elevate privileges and gain persistent access to resources.

Detection of an excessive number of Global Administrator accounts assigned within an Azure tenant, indicating potential privilege escalation or compromised accounts.

Detects unauthorized or malicious modifications to Privileged Identity Management (PIM) settings within Azure environments, potentially leading to privilege escalation, persistence, and stealthy access by attackers.

Detects the creation of a service principal in Azure, which could indicate potential attacker activity for lateral movement or persistence.

Threat actors may delete Azure AD Hybrid Health AD FS service instances after using them to spoof AD FS signing logs for defense evasion.

Detection of a service principal removal in Azure, potentially indicating malicious activity or an attempt to remove evidence of a compromise.

Detection of Azure application URI modifications that can be indicative of malicious activity, such as using dangling URIs, non-HTTPS URIs, wildcard domains, or URIs pointing to uncontrolled domains, potentially leading to initial access, stealth, persistence, credential access, and privilege escalation.

An attacker removes a user from a privileged Azure Active Directory group with permissions to modify Conditional Access policies, potentially leading to privilege escalation, persistence, or defense evasion.

Detection of assigned but unused privileged roles in Azure's Privileged Identity Management (PIM) service, indicating potential misconfiguration, license overuse, or dormant privileged access that could be exploited.

Detection of a failed attempt to invite an external guest user by an Azure user lacking the necessary permissions, potentially indicating privilege escalation or malicious insider activity.

An unauthorized actor created a new Conditional Access policy in Azure AD, potentially leading to privilege escalation and unauthorized access.

An adversary disables Privileged Identity Management (PIM) alerts in Azure to evade detection and maintain persistent access with escalated privileges.

Detection of frequent role activation in Azure Privileged Identity Management (PIM) by the same user may indicate potential privilege escalation or account compromise.

Detects the creation of new privileged accounts in Azure environments, potentially indicating initial access, persistence, privilege escalation, or stealth activities by malicious actors.

An attacker elevates their Azure subscription permissions to manage all subscriptions, potentially leading to unauthorized access and control over the environment.

An adversary may remove an owner from an Azure application or service principal to weaken access controls, persist in the environment, or escalate privileges.

An adversary may disable multi-factor authentication (MFA) in Azure Active Directory to weaken an organization's security posture and bypass authentication mechanisms, potentially gaining unauthorized access to sensitive resources and maintaining persistence.

The Atypical Travel detection in Azure Identity Protection identifies potentially compromised user accounts by detecting geographically improbable sign-in activity, indicative of account compromise or misuse.

Detection of a user being added to a privileged role in Azure AD, potentially indicating privilege escalation or persistence by an attacker.

Detection of privilege role assignments outside of Azure Privileged Identity Management (PIM) can indicate potential attacker activity related to initial access, stealth, persistence, or privilege escalation within the Azure environment.

An attacker may modify Azure domain federation settings to establish persistence, escalate privileges, or gain unauthorized access to resources.