Azure ATP Security Alerts

Azure ATP security alerts explain the suspicious activities detected by Azure ATP sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Azure ATP security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

  1. Reconnaissance phase alerts
  2. Compromised credential phase alerts
  3. Lateral movement phase alerts
  4. Domain dominance phase alerts
  5. Exfiltration phase alerts

To learn more about the structure and common components of all Azure ATP security alerts, see Understanding security alerts.

Security alert name mapping and unique external IDs

In version 2.56, all existing Azure ATP security alerts were renamed with easier to understand names. Mapping between old and new names, and their corresponding unique externalIds are as listed in the following table. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

New security alert name Previous security alert name Unique external ID MITRE ATT&CK Matrixâ„¢
Account enumeration reconnaissance Reconnaissance using account enumeration 2003 Discovery
Data exfiltration over SMB NA 2030 Exfiltration,
Lateral movement,
Command and control
Honeytoken activity Honeytoken activity 2014 Credential access,
Discovery
Malicious request of Data Protection API master key Malicious Data Protection Private Information Request 2020 Credential access
Network mapping reconnaissance (DNS) Reconnaissance using DNS 2007 Discovery
Remote code execution attempt Remote code execution attempt 2019 Execution,
Persistence,
Privilege escalation,
Defense evasion,
Lateral movement
Remote code execution over DNS NA 2036 Privilege escalation,
Lateral movement
Security principal reconnaissance (LDAP) - preview NA 2038 Credential access
Suspected brute force attack (Kerberos, NTLM) Suspicious authentication failures 2023 Credential access
Suspected brute force attack (LDAP) Brute force attack using LDAP simple bind 2004 Credential access
Suspected brute force attack (SMB) Unusual protocol implementation (potential use of malicious tools such as Hydra) 2033 Lateral movement
Suspected DCShadow attack (domain controller promotion) Suspicious domain controller promotion (potential DCShadow attack) 2028 Defense evasion
Suspected DCShadow attack (domain controller replication request) Suspicious domain controller replication request (potential DCShadow attack) 2029 Defense evasion
Suspected DCSync attack (replication of directory services) Malicious replication of directory services 2006 Persistence,
Credential access
Suspected Golden Ticket usage (encryption downgrade) Encryption downgrade activity (potential golden ticket attack) 2009 Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (forged authorization data) Privilege escalation using forged authorization data 2013 Privilege escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (nonexistent account) Kerberos Golden Ticket - nonexistent account 2027 Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (ticket anomaly) NA 2032 Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (time anomaly) Kerberos Golden Ticket - time anomaly 2022 Privilege Escalation,
Lateral movement,
Persistence
Suspected identity theft (pass-the-hash) Identity theft using Pass-the-Hash attack 2017 Lateral movement
Suspected identity theft (pass-the-ticket) Identity theft using Pass-the-Ticket attack 2018 Lateral movement
Suspected over-pass-the-hash attack (encryption downgrade) Encryption downgrade activity (potential overpass-the-hash attack) 2008 Lateral movement
Suspected overpass-the-hash attack (Kerberos) Unusual Kerberos protocol implementation (potential overpass-the-hash attack) 2002 Lateral movement
Suspected skeleton key attack (encryption downgrade) Encryption downgrade activity (potential skeleton key attack) 2010 Lateral movement,
Persistence
Suspected use of Metasploit hacking framework Unusual protocol implementation (potential use of Metasploit hacking tools) 2034 Lateral movement
Suspected NTLM relay attack (Exchange account) - preview NA 2037 Privilege escalation,
Lateral movement
Suspected WannaCry ransomware attack Unusual protocol implementation (potential WannaCry ransomware attack) 2035 Lateral movement
Suspicious communication over DNS Suspicious communication over DNS 2031 Exfiltration
Suspicious modification of sensitive groups Suspicious modification of sensitive groups 2024 Credential access,
Persistence
Suspicious service creation Suspicious service creation 2026 Execution,
Persistence,
Privilege Escalation,
Defense evasion,
Lateral movement
Suspicious VPN connection Suspicious VPN connection 2025 Persistence,
Defense evasion
User and group membership reconnaissance (SAMR) Reconnaissance using directory services queries 2021 Discovery
User and IP address reconnaissance (SMB) Reconnaissance using SMB Session Enumeration 2012 Discovery

Note

To disable any security alert, contact support.

See Also