Azure ATP Security Alerts

Note

The Azure ATP features explained on this page are also accessible using the new portal.

Azure ATP security alerts explain the suspicious activities detected by Azure ATP sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Azure ATP security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

  1. Reconnaissance phase alerts
  2. Compromised credential phase alerts
  3. Lateral movement phase alerts
  4. Domain dominance phase alerts
  5. Exfiltration phase alerts

To learn more about the structure and common components of all Azure ATP security alerts, see Understanding security alerts.

Security alert name mapping and unique external IDs

In version 2.56, all existing Azure ATP security alerts were renamed with easier to understand names. Mapping between old and new names, and their corresponding unique externalIds are as listed in the following table. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

New security alert name Previous security alert name Unique external ID Severity MITRE ATT&CK Matrix™
Account enumeration reconnaissance Reconnaissance using account enumeration 2003 Medium Discovery
Data exfiltration over SMB NA 2030 High Exfiltration,
Lateral movement,
Command and control
Honeytoken activity Honeytoken activity 2014 Medium Credential access,
Discovery
Malicious request of Data Protection API master key Malicious Data Protection Private Information Request 2020 High Credential access
Network mapping reconnaissance (DNS) Reconnaissance using DNS 2007 Medium Discovery
Remote code execution attempt Remote code execution attempt 2019 Medium Execution,
Persistence,
Privilege escalation,
Defense evasion,
Lateral movement
Remote code execution over DNS NA 2036 Medium Privilege escalation,
Lateral movement
Security principal reconnaissance (LDAP) NA 2038 Medium Credential access
Suspected brute force attack (Kerberos, NTLM) Suspicious authentication failures 2023 Medium Credential access
Suspected brute force attack (LDAP) Brute force attack using LDAP simple bind 2004 Medium Credential access
Suspected brute force attack (SMB) Unusual protocol implementation (potential use of malicious tools such as Hydra) 2033 Medium Lateral movement
Suspected DCShadow attack (domain controller promotion) Suspicious domain controller promotion (potential DCShadow attack) 2028 High Defense evasion
Suspected DCShadow attack (domain controller replication request) Suspicious domain controller replication request (potential DCShadow attack) 2029 High Defense evasion
Suspected DCSync attack (replication of directory services) Malicious replication of directory services 2006 High Persistence,
Credential access
Suspected Golden Ticket usage (encryption downgrade) Encryption downgrade activity (potential golden ticket attack) 2009 Medium Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (forged authorization data) Privilege escalation using forged authorization data 2013 High Privilege escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (nonexistent account) Kerberos Golden Ticket - nonexistent account 2027 High Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (ticket anomaly) NA 2032 High Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (time anomaly) Kerberos Golden Ticket - time anomaly 2022 High Privilege Escalation,
Lateral movement,
Persistence
Suspected identity theft (pass-the-hash) Identity theft using Pass-the-Hash attack 2017 High Lateral movement
Suspected identity theft (pass-the-ticket) Identity theft using Pass-the-Ticket attack 2018 High or Medium Lateral movement
Suspected NTLM authentication tampering NA 2039 Medium Privilege escalation,
Lateral movement
Suspected NTLM relay attack NA 2037 Medium or Low if observed using signed NTLM v2 protocol Privilege escalation,
Lateral movement
Suspected over-pass-the-hash attack (encryption downgrade) Encryption downgrade activity (potential overpass-the-hash attack) 2008 Medium Lateral movement
Suspected overpass-the-hash attack (Kerberos) Unusual Kerberos protocol implementation (potential overpass-the-hash attack) 2002 Medium Lateral movement
Suspected skeleton key attack (encryption downgrade) Encryption downgrade activity (potential skeleton key attack) 2010 Medium Lateral movement,
Persistence
Suspected use of Metasploit hacking framework Unusual protocol implementation (potential use of Metasploit hacking tools) 2034 Medium Lateral movement
Suspected WannaCry ransomware attack Unusual protocol implementation (potential WannaCry ransomware attack) 2035 Medium Lateral movement
Suspicious communication over DNS Suspicious communication over DNS 2031 Medium Exfiltration
Suspicious additions to sensitive groups Suspicious additions to sensitive groups 2024 Medium Credential access,
Persistence
Suspicious service creation Suspicious service creation 2026 Medium Execution,
Persistence,
Privilege Escalation,
Defense evasion,
Lateral movement
Suspicious VPN connection Suspicious VPN connection 2025 Medium Persistence,
Defense evasion
User and group membership reconnaissance (SAMR) Reconnaissance using directory services queries 2021 Medium Discovery
User and IP address reconnaissance (SMB) Reconnaissance using SMB Session Enumeration 2012 Medium Discovery

Note

To disable any security alert, contact support.

See Also