Threat definition updates

11452

New! CTD-000040: Azure AD guest account with an unredeemed invitation

This threat definition detects unredeemed guest invitations. Threat actors might use such invitations to get access to your tenant.

11463

This threat definition detects if token persistence is not disabled for users with admin roles. If a device used by the administrator is left unattended or compromised, a threat actor might be able to extract PRT and use it to access your tenant, bypassing MFA. 

11730

Updated! CTD-000010: Azure AD app with risky write permissions

Now, this threat definition also checks additional permissions, including:

1. Policy.*Write*
2. Organization.*Write*
3. AppRoleAssignment.*Write*
4. RoleManagement.*Write*
5. ServicePrincipalEndpoint.*Write*
6. Application.*Write*
   
7. *update_device_attributes*

11731

New! CTD-000042: AAD: Azure AD tenant with Certificate-Based Authentication enabled

This threat definition detects if Certificate-Based Authentication is enabled and a root Certificate Authority is configured in the tenant. Threat actors might use certificate-based authentication to access the tenant by bypassing MFA.

11616

Updated! CTD-000035: Privileged Azure AD account synced from on-premise

Now, this threat definition also finds synced users with an eligible role membership in Azure AD roles.  

10724

New! CTD-000037: Objects with privileged SIDs in SID History

This threat definition finds AD Objects with privileged SIDs in their SID History. Threat actors may use the SID History Injection technique to escalate privileges and bypass access controls.

New! CTD-000012: Modified federation settings in Azure AD domain

This threat definition detects changes in the federation settings of Azure AD domains. Threat actors might use federated domains to access your tenant. This technique was used in the infamous Solorigate attack.

New! CTD-000008: Azure AD app with client secrets

This threat definition finds applications with client secrets. Threat actors might perform actions on behalf of an application using compromised client secrets.

Updated! CTD-000018: Azure AD tenant with auditing disabled

Now, this threat definition detects changes in the audit logging configuration of your Azure AD tenants in real time, in addition to the scheduled check.  

New! CTD-000034: Privileged AD user synced to Azure AD

This threat definition finds privileged AD users synced to Azure AD. Threat actors might compromise a regular user account in the tenant to get access to its privileged counterpart in the Active Directory.

New! CTD-000038 Azure AD tenant with unsecured access to Azure management

This threat definition detects if Microsoft Azure Management is not protected with Multi-factor authentication. Without MFA enforced, threat actors might compromise an account and immediately get access to the privileged resources. 

New! CTD-000039 Azure AD Application Registration with dangling URI

This threat definition finds Azure AD Application Registrations with redirect URIs without corresponding Azure resources. Threat actors might use such dangling URIs to redirect traffic intended for an application to a site performing malicious activity.