Threat Alerts directory
Overview
This directory is a reference for the threat alerts that Cayosoft Guardian generates. Each threat alert identifies suspicious or high-risk activity detected across your identity environment — including Microsoft Entra ID, Active Directory, Intune, Exchange Online, and hybrid identity configurations — and provides the context security teams need to assess and respond to it.
Use this directory to understand what each alert means, why it is raised, its default severity, and how it maps into downstream tools such as Microsoft Sentinel.
How Threat Alerts are generated
Cayosoft Guardian continuously monitors your directory and configuration state. When it detects activity that matches a known threat pattern, it raises a threat alert. Each alert is recorded in the Guardian portal and, when Windows Event Log for Alerts is enabled, written to the Windows Event Log as Event ID 2 in the Cayosoft Guardian Alerts log. This is the same record that feeds the Microsoft Sentinel integration.
Anatomy of a Threat Alert
Every threat alert carries a consistent set of properties, allowing alerts to be understood, grouped, and acted upon in the same way, regardless of their source. The key fields are:
- ThreatId — a unique identifier for the threat. Related activity that shares a
ThreatIdis grouped together so a single threat is represented as one consolidated item rather than many disconnected alerts. - TargetName — the object affected by the activity, such as an account, group, or computer.
- Categories — the classification of the threat, for example, Credential Access or Persistence.
- Evidence — the supporting detail that explains what was observed and why the alert was raised.
- Tactics — the relevant adversary tactics associated with the threat, when they can be determined.
Severity Levels
Threat alerts are assigned one of the following severity levels, which reflect the potential impact of the detected activity:
| Severity | Description |
|---|---|
| Critical | Activity representing the highest risk, requiring immediate attention. |
| High | Serious activity that should be investigated promptly. |
| Medium | Notable activity that warrants review. |
| Low | Lower-risk activity, useful for awareness and correlation. |
| Informational | Contextual events that do not indicate risk on their own. |
When alerts are forwarded to Microsoft Sentinel, Critical and High are both reported as High, while Medium, Low, and Informational retain their own levels.
Comments
0 comments
Please sign in to leave a comment.