Azure ATP Security Alerts

Note

The Azure ATP features explained on this page are also accessible using the new portal.

Azure ATP security alerts explain the suspicious activities detected by Azure ATP sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Azure ATP security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

  1. Reconnaissance phase alerts
  2. Compromised credential phase alerts
  3. Lateral movement phase alerts
  4. Domain dominance phase alerts
  5. Exfiltration phase alerts

To learn more about the structure and common components of all Azure ATP security alerts, see Understanding security alerts.

Security alert name mapping and unique external IDs

The following table lists the mapping between alert names, their corresponding unique external IDs, and their Microsoft Cloud App Security alert IDs. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

New security alert name Unique external ID Severity MITRE ATT&CK Matrix™
Account enumeration reconnaissance 2003 Medium Discovery
Data exfiltration over SMB 2030 High Exfiltration,
Lateral movement,
Command and control
Honeytoken activity 2014 Medium Credential access,
Discovery
Malicious request of Data Protection API master key 2020 High Credential access
Network mapping reconnaissance (DNS) 2007 Medium Discovery
Remote code execution attempt 2019 Medium Execution,
Persistence,
Privilege escalation,
Defense evasion,
Lateral movement
Remote code execution over DNS 2036 Medium Privilege escalation,
Lateral movement
Security principal reconnaissance (LDAP) 2038 Medium Credential access
Suspected brute force attack (Kerberos, NTLM) 2023 Medium Credential access
Suspected brute force attack (LDAP) 2004 Medium Credential access
Suspected brute force attack (SMB) 2033 Medium Lateral movement
Suspected DCShadow attack (domain controller promotion) 2028 High Defense evasion
Suspected DCShadow attack (domain controller replication request) 2029 High Defense evasion
Suspected DCSync attack (replication of directory services) 2006 High Persistence,
Credential access
Suspected Golden Ticket usage (encryption downgrade) 2009 Medium Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (forged authorization data) 2013 High Privilege escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (nonexistent account) 2027 High Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (ticket anomaly) 2032 High Privilege Escalation,
Lateral movement,
Persistence
Suspected Golden Ticket usage (time anomaly) 2022 High Privilege Escalation,
Lateral movement,
Persistence
Suspected identity theft (pass-the-hash) 2017 High Lateral movement
Suspected identity theft (pass-the-ticket) 2018 High or Medium Lateral movement
Suspected NTLM authentication tampering 2039 Medium Privilege escalation, 
Lateral movement
Suspected NTLM relay attack 2037 Medium or Low if observed using signed NTLM v2 protocol Privilege escalation, 
Lateral movement
Suspected over-pass-the-hash attack (encryption downgrade) 2008 Medium Lateral movement
Suspected overpass-the-hash attack (Kerberos) 2002 Medium Lateral movement
Suspected skeleton key attack (encryption downgrade) 2010 Medium Lateral movement,
Persistence
Suspected use of Metasploit hacking framework 2034 Medium Lateral movement
Suspected WannaCry ransomware attack 2035 Medium Lateral movement
Suspicious additions to sensitive groups 2024 Medium Credential access,
Persistence
Suspicious communication over DNS 2031 Medium Exfiltration
Suspicious service creation 2026 Medium Execution,
Persistence,
Privilege Escalation,
Defense evasion,
Lateral movement
Suspicious VPN connection 2025 Medium Persistence,
Defense evasion
User and group membership reconnaissance (SAMR) 2021 Medium Discovery
User and IP address reconnaissance (SMB) 2012 Medium Discovery