Anomalies detected by the Microsoft Sentinel machine learning engine
This article lists the anomalies that Microsoft Sentinel detects using different machine learning models.
Anomaly detection works by analyzing the behavior of users in an environment over a period of time and constructing a baseline of legitimate activity. Once the baseline is established, any activity outside the normal parameters is considered anomalous and therefore suspicious.
Microsoft Sentinel uses two different models to create baselines and detect anomalies.
Note
The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:
- Domain Reputation Palo Alto anomaly
- Multi-region logins in a single day via Palo Alto GlobalProtect
Important
Microsoft Sentinel is available as part of the public preview for the unified security operations platform in the Microsoft Defender portal. For more information, see Microsoft Sentinel in the Microsoft Defender portal.
UEBA anomalies
Sentinel UEBA detects anomalies based on dynamic baselines created for each entity across various data inputs. Each entity's baseline behavior is set according to its own historical activities, those of its peers, and those of the organization as a whole. Anomalies can be triggered by the correlation of different attributes such as action type, geo-location, device, resource, ISP, and more.
You must enable the UEBA feature for UEBA anomalies to be detected.
- Anomalous Account Access Removal
- Anomalous Account Creation
- Anomalous Account Deletion
- Anomalous Account Manipulation
- Anomalous Code Execution (UEBA)
- Anomalous Data Destruction
- Anomalous Defensive Mechanism Modification
- Anomalous Failed Sign-in
- Anomalous Password Reset
- Anomalous Privilege Granted
- Anomalous Sign-in
Anomalous Account Access Removal
Description: An attacker may interrupt the availability of system and network resources by blocking access to accounts used by legitimate users. The attacker might delete, lock, or manipulate an account (for example, by changing its credentials) to remove access to it.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1531 - Account Access Removal |
| Activity: | Microsoft.Authorization/roleAssignments/delete Log Out |
Back to UEBA anomalies list | Back to top
Anomalous Account Creation
Description: Adversaries may create an account to maintain access to targeted systems. With a sufficient level of access, creating such accounts may be used to establish secondary credentialed access without requiring persistent remote access tools to be deployed on the system.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1136 - Create Account |
| MITRE ATT&CK sub-techniques: | Cloud Account |
| Activity: | Core Directory/UserManagement/Add user |
Back to UEBA anomalies list | Back to top
Anomalous Account Deletion
Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1531 - Account Access Removal |
| Activity: | Core Directory/UserManagement/Delete user Core Directory/Device/Delete user Core Directory/UserManagement/Delete user |
Back to UEBA anomalies list | Back to top
Anomalous Account Manipulation
Description: Adversaries may manipulate accounts to maintain access to target systems. These actions include adding new accounts to high-privileged groups. Dragonfly 2.0, for example, added newly created accounts to the administrators group to maintain elevated access. The query below generates an output of all high-Blast Radius users performing "Update user" (name change) to privileged role, or ones that changed users for the first time.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1098 - Account Manipulation |
| Activity: | Core Directory/UserManagement/Update user |
Back to UEBA anomalies list | Back to top
Anomalous Code Execution (UEBA)
Description: Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Execution |
| MITRE ATT&CK techniques: | T1059 - Command and Scripting Interpreter |
| MITRE ATT&CK sub-techniques: | PowerShell |
| Activity: | Microsoft.Compute/virtualMachines/runCommand/action |
Back to UEBA anomalies list | Back to top
Anomalous Data Destruction
Description: Adversaries may destroy data and files on specific systems or in large numbers on a network to interrupt availability to systems, services, and network resources. Data destruction is likely to render stored data irrecoverable by forensic techniques through overwriting files or data on local and remote drives.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1485 - Data Destruction |
| Activity: | Microsoft.Compute/disks/delete Microsoft.Compute/galleries/images/delete Microsoft.Compute/hostGroups/delete Microsoft.Compute/hostGroups/hosts/delete Microsoft.Compute/images/delete Microsoft.Compute/virtualMachines/delete Microsoft.Compute/virtualMachineScaleSets/delete Microsoft.Compute/virtualMachineScaleSets/virtualMachines/delete Microsoft.Devices/digitalTwins/Delete Microsoft.Devices/iotHubs/Delete Microsoft.KeyVault/vaults/delete Microsoft.Logic/integrationAccounts/delete Microsoft.Logic/integrationAccounts/maps/delete Microsoft.Logic/integrationAccounts/schemas/delete Microsoft.Logic/integrationAccounts/partners/delete Microsoft.Logic/integrationServiceEnvironments/delete Microsoft.Logic/workflows/delete Microsoft.Resources/subscriptions/resourceGroups/delete Microsoft.Sql/instancePools/delete Microsoft.Sql/managedInstances/delete Microsoft.Sql/managedInstances/administrators/delete Microsoft.Sql/managedInstances/databases/delete Microsoft.Storage/storageAccounts/delete Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete Microsoft.Storage/storageAccounts/fileServices/fileshares/files/delete Microsoft.Storage/storageAccounts/blobServices/containers/delete Microsoft.AAD/domainServices/delete |
Back to UEBA anomalies list | Back to top
Anomalous Defensive Mechanism Modification
Description: Adversaries may disable security tools to avoid possible detection of their tools and activities.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Defense Evasion |
| MITRE ATT&CK techniques: | T1562 - Impair Defenses |
| MITRE ATT&CK sub-techniques: | Disable or Modify Tools Disable or Modify Cloud Firewall |
| Activity: | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete Microsoft.Network/networkSecurityGroups/securityRules/delete Microsoft.Network/networkSecurityGroups/delete Microsoft.Network/ddosProtectionPlans/delete Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete Microsoft.Network/applicationSecurityGroups/delete Microsoft.Authorization/policyAssignments/delete Microsoft.Sql/servers/firewallRules/delete Microsoft.Network/firewallPolicies/delete Microsoft.Network/azurefirewalls/delete |
Back to UEBA anomalies list | Back to top
Anomalous Failed Sign-in
Description: Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra sign-in logs Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
| Activity: | Microsoft Entra ID: Sign-in activity Windows Security: Failed login (Event ID 4625) |
Back to UEBA anomalies list | Back to top
Anomalous Password Reset
Description: Adversaries may interrupt availability of system and network resources by inhibiting access to accounts utilized by legitimate users. Accounts may be deleted, locked, or manipulated (ex: changed credentials) to remove access to accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Impact |
| MITRE ATT&CK techniques: | T1531 - Account Access Removal |
| Activity: | Core Directory/UserManagement/User password reset |
Back to UEBA anomalies list | Back to top
Anomalous Privilege Granted
Description: Adversaries may add adversary-controlled credentials for Azure Service Principals in addition to existing legitimate credentials to maintain persistent access to victim Azure accounts.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1098 - Account Manipulation |
| MITRE ATT&CK sub-techniques: | Additional Azure Service Principal Credentials |
| Activity: | Account provisioning/Application Management/Add app role assignment to service principal |
Back to UEBA anomalies list | Back to top
Anomalous Sign-in
Description: Adversaries may steal the credentials of a specific user or service account using Credential Access techniques or capture credentials earlier in their reconnaissance process through social engineering for means of gaining Persistence.
| Attribute | Value |
|---|---|
| Anomaly type: | UEBA |
| Data sources: | Microsoft Entra sign-in logs Windows Security logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
| Activity: | Microsoft Entra ID: Sign-in activity Windows Security: Successful login (Event ID 4624) |
Back to UEBA anomalies list | Back to top
Machine learning-based anomalies
Microsoft Sentinel's customizable, machine learning-based anomalies can identify anomalous behavior with analytics rule templates that can be put to work right out of the box. While anomalies don't necessarily indicate malicious or even suspicious behavior by themselves, they can be used to improve detections, investigations, and threat hunting.
- Anomalous Microsoft Entra sign-in sessions
- Anomalous Azure operations
- Anomalous Code Execution
- Anomalous local account creation
- Anomalous scanning activity
- Anomalous user activities in Office Exchange
- Anomalous user/app activities in Azure audit logs
- Anomalous W3CIIS logs activity
- Anomalous web request activity
- Attempted computer brute force
- Attempted user account brute force
- Attempted user account brute force per login type
- Attempted user account brute force per failure reason
- Detect machine generated network beaconing behavior
- Domain generation algorithm (DGA) on DNS domains
- Domain Reputation Palo Alto anomaly (DISCONTINUED)
- Excessive data transfer anomaly
- Excessive Downloads via Palo Alto GlobalProtect
- Excessive uploads via Palo Alto GlobalProtect
- Login from an unusual region via Palo Alto GlobalProtect account logins
- Multi-region logins in a single day via Palo Alto GlobalProtect (DISCONTINUED)
- Potential data staging
- Potential domain generation algorithm (DGA) on next-level DNS Domains
- Suspicious geography change in Palo Alto GlobalProtect account logins
- Suspicious number of protected documents accessed
- Suspicious volume of AWS API calls from Non-AWS source IP address
- Suspicious volume of AWS CloudTrail log events of group user account by EventTypeName
- Suspicious volume of AWS write API calls from a user account
- Suspicious volume of failed login attempts to AWS Console by each group user account
- Suspicious volume of failed login attempts to AWS Console by each source IP address
- Suspicious volume of logins to computer
- Suspicious volume of logins to computer with elevated token
- Suspicious volume of logins to user account
- Suspicious volume of logins to user account by logon types
- Suspicious volume of logins to user account with elevated token
- Unusual external firewall alarm detected
- Unusual mass downgrade AIP label
- Unusual network communication on commonly used ports
- Unusual network volume anomaly
- Unusual web traffic detected with IP in URL path
Anomalous Microsoft Entra sign-in sessions
Description: The machine learning model groups the Microsoft Entra sign-in logs on a per-user basis. The model is trained on the previous 6 days of user sign-in behavior. It indicates anomalous user sign-in sessions over the past day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Microsoft Entra sign-in logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts T1566 - Phishing T1133 - External Remote Services |
Back to Machine learning-based anomalies list | Back to top
Anomalous Azure operations
Description: This detection algorithm collects 21 days' worth of data on Azure operations grouped by user to train this ML model. The algorithm then generates anomalies in the case of users who performed sequences of operations uncommon in their workspaces. The trained ML model scores the operations performed by the user and considers anomalous those whose score is greater than the defined threshold.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1190 - Exploit Public-Facing Application |
Back to Machine learning-based anomalies list | Back to top
Anomalous Code Execution
Description: Attackers may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Azure Activity logs |
| MITRE ATT&CK tactics: | Execution |
| MITRE ATT&CK techniques: | T1059 - Command and Scripting Interpreter |
Back to Machine learning-based anomalies list | Back to top
Anomalous local account creation
Description: This algorithm detects anomalous local account creation on Windows systems. Attackers may create local accounts to maintain access to targeted systems. This algorithm analyzes local account creation activity over the prior 14 days by users. It looks for similar activity on the current day from users who were not previously seen in historical activity. You can specify an allowlist to filter known users from triggering this anomaly.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Persistence |
| MITRE ATT&CK techniques: | T1136 - Create Account |
Back to Machine learning-based anomalies list | Back to top
Anomalous scanning activity
Description: This algorithm looks for port scanning activity, coming from a single source IP to one or more destination IPs, that is not normally seen in a given environment.
The algorithm takes into account whether the IP is public/external or private/internal, and the event is marked accordingly. Only private-to-public or public-to-private activity is considered at this time. Scanning activity can indicate an attacker attempting to determine available services in an environment that can be potentially exploited and used for ingress or lateral movement. A high number of source ports and high number of destination ports from a single source IP to either a single or multiple destination IP or IPs can be interesting and indicate anomalous scanning. Additionally, if there is a high ratio of destination IPs to the single source IP this can indicate anomalous scanning.
Configuration details:
- Job run default is daily, with hourly bins.
The algorithm uses the following configurable defaults to limit the results based on hourly bins. - Included device actions - accept, allow, start
- Excluded ports - 53, 67, 80, 8080, 123, 137, 138, 443, 445, 3389
- Distinct destination port count >= 600
- Distinct source port count >= 600
- Distinct source port count divided by distinct destination port, ratio converted to percent >= 99.99
- Source IP (always 1) divided by destination IP, ratio converted to percent >= 99.99
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN, Zscaler, CEF, CheckPoint, Fortinet) |
| MITRE ATT&CK tactics: | Discovery |
| MITRE ATT&CK techniques: | T1046 - Network Service Scanning |
Back to Machine learning-based anomalies list | Back to top
Anomalous user activities in Office Exchange
Description: This machine learning model groups the Office Exchange logs on a per-user basis into hourly buckets. We define one hour as a session. The model is trained on the previous 7 days of behavior across all regular (non-admin) users. It indicates anomalous user Office Exchange sessions in the last day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Office Activity log (Exchange) |
| MITRE ATT&CK tactics: | Persistence Collection |
| MITRE ATT&CK techniques: | Collection: T1114 - Email Collection T1213 - Data from Information Repositories Persistence: T1098 - Account Manipulation T1136 - Create Account T1137 - Office Application Startup T1505 - Server Software Component |
Back to Machine learning-based anomalies list | Back to top
Anomalous user/app activities in Azure audit logs
Description: This algorithm identifies anomalous user/app Azure sessions in audit logs for the last day, based on the behavior of the previous 21 days across all users and apps. The algorithm checks for sufficient volume of data before training the model.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Microsoft Entra audit logs |
| MITRE ATT&CK tactics: | Collection Discovery Initial Access Persistence Privilege Escalation |
| MITRE ATT&CK techniques: | Collection: T1530 - Data from Cloud Storage Object Discovery: T1087 - Account Discovery T1538 - Cloud Service Dashboard T1526 - Cloud Service Discovery T1069 - Permission Groups Discovery T1518 - Software Discovery Initial Access: T1190 - Exploit Public-Facing Application T1078 - Valid Accounts Persistence: T1098 - Account Manipulation T1136 - Create Account T1078 - Valid Accounts Privilege Escalation: T1484 - Domain Policy Modification T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Anomalous W3CIIS logs activity
Description: This machine learning algorithm indicates anomalous IIS sessions over the past day. It will capture, for example, an unusually high number of distinct URI queries, user agents, or logs in a session, or of specific HTTP verbs or HTTP statuses in a session. The algorithm identifies unusual W3CIISLog events within an hourly session, grouped by site name and client IP. The model is trained on the previous 7 days of IIS activity. The algorithm checks for sufficient volume of IIS activity before training the model.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | W3CIIS logs |
| MITRE ATT&CK tactics: | Initial Access Persistence |
| MITRE ATT&CK techniques: | Initial Access: T1190 - Exploit Public-Facing Application Persistence: T1505 - Server Software Component |
Back to Machine learning-based anomalies list | Back to top
Anomalous web request activity
Description: This algorithm groups W3CIISLog events into hourly sessions grouped by site name and URI stem. The machine learning model identifies sessions with unusually high numbers of requests that triggered 5xx-class response codes in the last day. 5xx-class codes are an indication that some application instability or error condition has been triggered by the request. They can be an indication that an attacker is probing the URI stem for vulnerabilities and configuration issues, performing some exploitation activity such as SQL injection, or leveraging an unpatched vulnerability. This algorithm uses 6 days of data for training.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | W3CIIS logs |
| MITRE ATT&CK tactics: | Initial Access Persistence |
| MITRE ATT&CK techniques: | Initial Access: T1190 - Exploit Public-Facing Application Persistence: T1505 - Server Software Component |
Back to Machine learning-based anomalies list | Back to top
Attempted computer brute force
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per computer over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Attempted user account brute force
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Attempted user account brute force per login type
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account per logon type over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Attempted user account brute force per failure reason
Description: This algorithm detects an unusually high volume of failed login attempts (security event ID 4625) per user account per failure reason over the past day. The model is trained on the previous 21 days of Windows security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Credential Access |
| MITRE ATT&CK techniques: | T1110 - Brute Force |
Back to Machine learning-based anomalies list | Back to top
Detect machine generated network beaconing behavior
Description: This algorithm identifies beaconing patterns from network traffic connection logs based on recurrent time delta patterns. Any network connection towards untrusted public networks at repetitive time deltas is an indication of malware callbacks or data exfiltration attempts. The algorithm will calculate the time delta between consecutive network connections between the same source IP and destination IP, as well as the number of connections in a time-delta sequence between the same sources and destinations. The percentage of beaconing is calculated as the connections in time-delta sequence against total connections in a day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN) |
| MITRE ATT&CK tactics: | Command and Control |
| MITRE ATT&CK techniques: | T1071 - Application Layer Protocol T1132 - Data Encoding T1001 - Data Obfuscation T1568 - Dynamic Resolution T1573 - Encrypted Channel T1008 - Fallback Channels T1104 - Multi-Stage Channels T1095 - Non-Application Layer Protocol T1571 - Non-Standard Port T1572 - Protocol Tunneling T1090 - Proxy T1205 - Traffic Signaling T1102 - Web Service |
Back to Machine learning-based anomalies list | Back to top
Domain generation algorithm (DGA) on DNS domains
Description: This machine learning model indicates potential DGA domains from the past day in the DNS logs. The algorithm applies to DNS records that resolve to IPv4 and IPv6 addresses.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | DNS Events |
| MITRE ATT&CK tactics: | Command and Control |
| MITRE ATT&CK techniques: | T1568 - Dynamic Resolution |
Back to Machine learning-based anomalies list | Back to top
Domain Reputation Palo Alto anomaly (DISCONTINUED)
Description: This algorithm evaluates the reputation for all domains seen specifically in Palo Alto firewall (PAN-OS product) logs. A high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.
Back to Machine learning-based anomalies list | Back to top
Excessive data transfer anomaly
Description: This algorithm detects unusually high data transfer observed in network logs. It uses time series to decompose the data into seasonal, trend and residual components to calculate baseline. Any sudden large deviation from the historical baseline is considered anomalous activity.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN, Zscaler, CEF, CheckPoint, Fortinet) |
| MITRE ATT&CK tactics: | Exfiltration |
| MITRE ATT&CK techniques: | T1030 - Data Transfer Size Limits T1041 - Exfiltration Over C2 Channel T1011 - Exfiltration Over Other Network Medium T1567 - Exfiltration Over Web Service T1029 - Scheduled Transfer T1537 - Transfer Data to Cloud Account |
Back to Machine learning-based anomalies list | Back to top
Excessive Downloads via Palo Alto GlobalProtect
Description: This algorithm detects unusually high volume of download per user account through the Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of downloads in the past day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN VPN) |
| MITRE ATT&CK tactics: | Exfiltration |
| MITRE ATT&CK techniques: | T1030 - Data Transfer Size Limits T1041 - Exfiltration Over C2 Channel T1011 - Exfiltration Over Other Network Medium T1567 - Exfiltration Over Web Service T1029 - Scheduled Transfer T1537 - Transfer Data to Cloud Account |
Back to Machine learning-based anomalies list | Back to top
Excessive uploads via Palo Alto GlobalProtect
Description: This algorithm detects unusually high volume of upload per user account through the Palo Alto VPN solution. The model is trained on the previous 14 days of the VPN logs. It indicates anomalous high volume of upload in the past day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN VPN) |
| MITRE ATT&CK tactics: | Exfiltration |
| MITRE ATT&CK techniques: | T1030 - Data Transfer Size Limits T1041 - Exfiltration Over C2 Channel T1011 - Exfiltration Over Other Network Medium T1567 - Exfiltration Over Web Service T1029 - Scheduled Transfer T1537 - Transfer Data to Cloud Account |
Back to Machine learning-based anomalies list | Back to top
Login from an unusual region via Palo Alto GlobalProtect account logins
Description: When a Palo Alto GlobalProtect account signs in from a source region that has rarely been signed in from during the last 14 days, an anomaly is triggered. This anomaly may indicate that the account has been compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN VPN) |
| MITRE ATT&CK tactics: | Credential Access Initial Access Lateral Movement |
| MITRE ATT&CK techniques: | T1133 - External Remote Services |
Back to Machine learning-based anomalies list | Back to top
Multi-region logins in a single day via Palo Alto GlobalProtect (DISCONTINUED)
Description: This algorithm detects a user account which had sign-ins from multiple non-adjacent regions in a single day through a Palo Alto VPN.
Back to Machine learning-based anomalies list | Back to top
Potential data staging
Description: This algorithm compares the downloads of distinct files on a per-user basis from the previous week with the downloads for the current day for each user, and an anomaly is triggered when the number of downloads of distinct files exceeds the configured number of standard deviations above the mean. Currently the algorithm only analyzes files commonly seen during exfiltration of documents, images, videos and archives with the extensions doc, docx, xls, xlsx, xlsm, ppt, pptx, one, pdf, zip, rar, bmp, jpg, mp3, mp4, and mov.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Office Activity log (Exchange) |
| MITRE ATT&CK tactics: | Collection |
| MITRE ATT&CK techniques: | T1074 - Data Staged |
Back to Machine learning-based anomalies list | Back to top
Potential domain generation algorithm (DGA) on next-level DNS Domains
Description: This machine learning model indicates the next-level domains (third-level and up) of the domain names from the last day of DNS logs that are unusual. They could potentially be the output of a domain generation algorithm (DGA). The anomaly applies to the DNS records that resolve to IPv4 and IPv6 addresses.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | DNS Events |
| MITRE ATT&CK tactics: | Command and Control |
| MITRE ATT&CK techniques: | T1568 - Dynamic Resolution |
Back to Machine learning-based anomalies list | Back to top
Suspicious geography change in Palo Alto GlobalProtect account logins
Description: A match indicates that a user logged in remotely from a country/region that is different from the country/region of the user's last remote login. This rule might also indicate an account compromise, particularly if the rule matches occurred closely in time. This includes the scenario of impossible travel.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN VPN) |
| MITRE ATT&CK tactics: | Initial Access Credential Access |
| MITRE ATT&CK techniques: | T1133 - External Remote Services T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious number of protected documents accessed
Description: This algorithm detects high volume of access to protected documents in Azure Information Protection (AIP) logs. It considers AIP workload records for a given number of days and determines whether the user performed unusual access to protected documents in a day given historical behavior.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Azure Information Protection logs |
| MITRE ATT&CK tactics: | Collection |
| MITRE ATT&CK techniques: | T1530 - Data from Cloud Storage Object T1213 - Data from Information Repositories T1005 - Data from Local System T1039 - Data from Network Shared Drive T1114 - Email Collection |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of AWS API calls from Non-AWS source IP address
Description: This algorithm detects an unusually high volume of AWS API calls per user account per workspace, from source IP addresses outside of AWS's source IP ranges, within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by source IP address. This activity may indicate that the user account is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of AWS CloudTrail log events of group user account by EventTypeName
Description: This algorithm detects an unusually high volume of events per group user account, by different event types (AwsApiCall, AwsServiceEvent, AwsConsoleSignIn, AwsConsoleAction), in your AWS CloudTrail log within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by group user account. This activity may indicate that the account is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of AWS write API calls from a user account
Description: This algorithm detects an unusually high volume of AWS write API calls per user account within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by user account. This activity may indicate that the account is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of failed login attempts to AWS Console by each group user account
Description: This algorithm detects an unusually high volume of failed login attempts to AWS Console per group user account in your AWS CloudTrail log within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by group user account. This activity may indicate that the account is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of failed login attempts to AWS Console by each source IP address
Description: This algorithm detects an unusually high volume of failed login events to AWS Console per source IP address in your AWS CloudTrail log within the last day. The model is trained on the previous 21 days of AWS CloudTrail log events by source IP address. This activity may indicate that the IP address is compromised.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | AWS CloudTrail logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to computer
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per computer over the past day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to computer with elevated token
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) with administrative privileges, per computer, over the last day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to user account
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per user account over the past day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to user account by logon types
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) per user account, by different logon types, over the past day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Suspicious volume of logins to user account with elevated token
Description: This algorithm detects an unusually high volume of successful logins (security event ID 4624) with administrative privileges, per user account, over the last day. The model is trained on the previous 21 days of Windows Security event logs.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Windows Security logs |
| MITRE ATT&CK tactics: | Initial Access |
| MITRE ATT&CK techniques: | T1078 - Valid Accounts |
Back to Machine learning-based anomalies list | Back to top
Unusual external firewall alarm detected
Description: This algorithm identifies unusual external firewall alarms which are threat signatures released by a firewall vendor. It uses the last 7 days' activities to calculate the 10 most triggered signatures and the 10 hosts that triggered the most signatures. After excluding both type of noisy events, it triggers an anomaly only after exceeding the threshold for the number of signatures triggered in a single day.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN) |
| MITRE ATT&CK tactics: | Discovery Command and Control |
| MITRE ATT&CK techniques: | Discovery: T1046 - Network Service Scanning T1135 - Network Share Discovery Command and Control: T1071 - Application Layer Protocol T1095 - Non-Application Layer Protocol T1571 - Non-Standard Port |
Back to Machine learning-based anomalies list | Back to top
Unusual mass downgrade AIP label
Description: This algorithm detects unusually high volume of downgrade label activity in Azure Information Protection (AIP) logs. It considers "AIP" workload records for a given number of days and determines the sequence of activity performed on documents along with the label applied to classify unusual volume of downgrade activity.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | Azure Information Protection logs |
| MITRE ATT&CK tactics: | Collection |
| MITRE ATT&CK techniques: | T1530 - Data from Cloud Storage Object T1213 - Data from Information Repositories T1005 - Data from Local System T1039 - Data from Network Shared Drive T1114 - Email Collection |
Back to Machine learning-based anomalies list | Back to top
Unusual network communication on commonly used ports
Description: This algorithm identifies unusual network communication on commonly used ports, comparing daily traffic to a baseline from the previous 7 days. This includes traffic on commonly used ports (22, 53, 80, 443, 8080, 8888), and compares daily traffic to the mean and standard deviation of several network traffic attributes calculated over the baseline period. The traffic attributes considered are daily total events, daily data transfer and number of distinct source IP addresses per port. An anomaly is triggered when the daily values are greater than the configured number of standard deviations above the mean.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN, Zscaler, CheckPoint, Fortinet) |
| MITRE ATT&CK tactics: | Command and Control Exfiltration |
| MITRE ATT&CK techniques: | Command and Control: T1071 - Application Layer Protocol Exfiltration: T1030 - Data Transfer Size Limits |
Back to Machine learning-based anomalies list | Back to top
Unusual network volume anomaly
Description: This algorithm detects unusually high volume of connections in network logs. It uses time series to decompose the data into seasonal, trend and residual components to calculate baseline. Any sudden large deviation from the historical baseline is considered as anomalous activity.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN, Zscaler, CEF, CheckPoint, Fortinet) |
| MITRE ATT&CK tactics: | Exfiltration |
| MITRE ATT&CK techniques: | T1030 - Data Transfer Size Limits |
Back to Machine learning-based anomalies list | Back to top
Unusual web traffic detected with IP in URL path
Description: This algorithm identifies unusual web requests listing an IP address as the host. The algorithm finds all web requests with IP addresses in the URL path and compares them with the previous week of data to exclude known benign traffic. After excluding known benign traffic, it triggers an anomaly only after exceeding certain thresholds with configured values such as total web requests, numbers of URLs seen with same host destination IP address, and number of distinct source IPs within the set of URLs with the same destination IP address. This type of request can indicate an attempt to bypass URL reputation services for malicious purposes.
| Attribute | Value |
|---|---|
| Anomaly type: | Customizable machine learning |
| Data sources: | CommonSecurityLog (PAN, Zscaler, CheckPoint, Fortinet) |
| MITRE ATT&CK tactics: | Command and Control Initial Access |
| MITRE ATT&CK techniques: | Command and Control: T1071 - Application Layer Protocol Initial Access: T1189 - Drive-by Compromise |
Back to Machine learning-based anomalies list | Back to top
Next steps
Learn about machine learning-generated anomalies in Microsoft Sentinel.
Learn how to work with anomaly rules.
Investigate incidents with Microsoft Sentinel.
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for