Microsoft Defender for Identity Security Alerts

10/27/2020
4 minutes to read

Note

The Microsoft Defender for Identity features explained on this page are also accessible using the new portal.

Microsoft Defender for Identity security alerts explain the suspicious activities detected by Defender for Identity sensors on your network, and the actors and computers involved in each threat. Alert evidence lists contain direct links to the involved users and computers, to help make your investigations easy and direct.

Defender for Identity security alerts are divided into the following categories or phases, like the phases seen in a typical cyber-attack kill chain. Learn more about each phase, the alerts designed to detect each attack, and how to use the alerts to help protect your network using the following links:

To learn more about the structure and common components of all Defender for Identity security alerts, see Understanding security alerts.

Security alert name mapping and unique external IDs

The following table lists the mapping between alert names, their corresponding unique external IDs, and their Microsoft Cloud App Security alert IDs. When used with scripts or automation, Microsoft recommends use of alert external IDs in place of alert names, as only security alert external IDs are permanent, and not subject to change.

External IDs
Cloud App Security IDs

Security alert name	Unique external ID	Severity	MITRE ATT&CK Matrix™
Account enumeration reconnaissance	2003	Medium	Discovery
Active Directory attributes reconnaissance (LDAP)	2210	Medium	Discovery
Data exfiltration over SMB	2030	High	Exfiltration, Lateral movement, Command and control
Honeytoken activity	2014	Medium	Credential access, Discovery
Malicious request of Data Protection API master key	2020	High	Credential access
Network mapping reconnaissance (DNS)	2007	Medium	Discovery
Remote code execution attempt	2019	Medium	Execution, Persistence, Privilege escalation, Defense evasion, Lateral movement
Remote code execution over DNS	2036	Medium	Privilege escalation, Lateral movement
Security principal reconnaissance (LDAP)	2038	Medium	Credential access
Suspected Brute Force attack (Kerberos, NTLM)	2023	Medium	Credential access
Suspected Brute Force attack (LDAP)	2004	Medium	Credential access
Suspected Brute Force attack (SMB)	2033	Medium	Lateral movement
Suspected DCShadow attack (domain controller promotion)	2028	High	Defense evasion
Suspected DCShadow attack (domain controller replication request)	2029	High	Defense evasion
Suspected DCSync attack (replication of directory services)	2006	High	Persistence, Credential access
Suspected Golden Ticket usage (encryption downgrade)	2009	Medium	Privilege Escalation, Lateral movement, Persistence
Suspected Golden Ticket usage (forged authorization data)	2013	High	Privilege escalation, Lateral movement, Persistence
Suspected Golden Ticket usage (nonexistent account)	2027	High	Privilege Escalation, Lateral movement, Persistence
Suspected Golden Ticket usage (ticket anomaly)	2032	High	Privilege Escalation, Lateral movement, Persistence
Suspected Golden Ticket usage (ticket anomaly using RBCD)	2040	High	Persistence
Suspected Golden Ticket usage (time anomaly)	2022	High	Privilege Escalation, Lateral movement, Persistence
Suspected identity theft (pass-the-hash)	2017	High	Lateral movement
Suspected identity theft (pass-the-ticket)	2018	High or Medium	Lateral movement
Suspected Kerberos SPN exposure (external ID 2410)	2410	High	Credential access
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)	2411	High	Privilege Escalation
Suspected NTLM authentication tampering	2039	Medium	Privilege escalation, Lateral movement
Suspected NTLM relay attack	2037	Medium or Low if observed using signed NTLM v2 protocol	Privilege escalation, Lateral movement
Suspected overpass-the-hash attack (Kerberos)	2002	Medium	Lateral movement
Suspected rogue Kerberos certificate usage	2047	High	Lateral movement
Suspected Skeleton Key attack (encryption downgrade)	2010	Medium	Lateral movement, Persistence
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) - (preview)	2406	High	Lateral movement
Suspected use of Metasploit hacking framework	2034	Medium	Lateral movement
Suspected WannaCry ransomware attack	2035	Medium	Lateral movement
Suspicious additions to sensitive groups	2024	Medium	Credential access, Persistence
Suspicious communication over DNS	2031	Medium	Exfiltration
Suspicious service creation	2026	Medium	Execution, Persistence, Privilege Escalation, Defense evasion, Lateral movement
Suspicious VPN connection	2025	Medium	Persistence, Defense evasion
User and Group membership reconnaissance (SAMR)	2021	Medium	Discovery
User and IP address reconnaissance (SMB)	2012	Medium	Discovery

Security alert name	Cloud App Security alert ID
Account enumeration reconnaissance	ALERT_EXTERNAL_AATP_ACCOUNT_ENUMERATION_SECURITY_ALERT
Active Directory attributes reconnaissance (LDAP)	ALERT_EXTERNAL_AATP_LDAP_SENSITIVE_ATTRIBUTE_RECONNAISSANCE_SECURITY_ALERT
Data exfiltration over SMB	ALERT_EXTERNAL_AATP_SMB_DATA_EXFILTRATION_SECURITY_ALERT
Honeytoken activity	ALERT_EXTERNAL_AATP_HONEYTOKEN_ACTIVITY_SECURITY_ALERT
Malicious request of Data Protection API master key	ALERT_EXTERNAL_AATP_RETRIEVE_DATA_PROTECTION_BACKUP_KEY_SECURITY_ALERT
Network mapping reconnaissance (DNS)	ALERT_EXTERNAL_AATP_DNS_RECONNAISSANCE_SECURITY_ALERT
Remote code execution attempt	ALERT_EXTERNAL_AATP_REMOTE_EXECUTION_SECURITY_ALERT
Remote code execution over DNS	ALERT_EXTERNAL_AATP_DNS_REMOTE_CODE_EXECUTION_SECURITY_ALERT
Security principal reconnaissance (LDAP)	ALERT_EXTERNAL_AATP_LDAP_SEARCH_RECONNAISSANCE_SECURITY_ALERT
Suspected Brute Force attack (Kerberos, NTLM)	ALERT_EXTERNAL_AATP_BRUTE_FORCE_SECURITY_ALERT
Suspected Brute Force attack (LDAP)	ALERT_EXTERNAL_AATP_LDAP_BRUTE_FORCE_SECURITY_ALERT
Suspected Brute Force attack (SMB)	ALERT_EXTERNAL_AATP_ABNORMAL_SMB_BRUTE_FORCE_SECURITY_ALERT
Suspected DCShadow attack (domain controller promotion)	ALERT_EXTERNAL_AATP_DIRECTORY_SERVICES_ROGUE_PROMOTION_SECURITY_ALERT
Suspected DCShadow attack (domain controller replication request)	ALERT_EXTERNAL_AATP_DIRECTORY_SERVICES_ROGUE_REPLICATION_SECURITY_ALERT
Suspected DCSync attack (replication of directory services)	ALERT_EXTERNAL_AATP_DIRECTORY_SERVICES_REPLICATION_SECURITY_ALERT
Suspected Golden Ticket usage (encryption downgrade)	ALERT_EXTERNAL_AATP_GOLDEN_TICKET_ENCRYPTION_DOWNGRADE_SECURITY_ALERT
Suspected Golden Ticket usage (forged authorization data)	ALERT_EXTERNAL_AATP_FORGED_PAC_SECURITY_ALERT
Suspected Golden Ticket usage (nonexistent account)	ALERT_EXTERNAL_AATP_FORGED_PRINCIPAL_SECURITY_ALERT
Suspected Golden Ticket usage (ticket anomaly)	ALERT_EXTERNAL_AATP_GOLDEN_TICKET_SIZE_ANOMALY_SECURITY_ALERT
Suspected Golden Ticket usage (ticket anomaly using RBCD)	ALERT_EXTERNAL_AATP_RESOURCE_BASED_CONSTRAINED_DELEGATION_GOLDEN_TICKET_SECURITY_ALERT
Suspected Golden Ticket usage (time anomaly)	ALERT_EXTERNAL_AATP_GOLDEN_TICKET_SECURITY_ALERT
Suspected identity theft (pass-the-hash)	ALERT_EXTERNAL_AATP_PASS_THE_HASH_SECURITY_ALERT
Suspected identity theft (pass-the-ticket)	ALERT_EXTERNAL_AATP_PASS_THE_TICKET_SECURITY_ALERT
Suspected Kerberos SPN exposure (external ID 2410)	ALERT_EXTERNAL_AATP_KERBEROASTING_SECURITY_ALERT
Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation)	ALERT_EXTERNAL_AATP_NETLOGON_BYPASS_SECURITY_ALERT
Suspected NTLM authentication tampering	ALERT_EXTERNAL_AATP_ABNORMAL_NTLM_SIGNING_SECURITY_ALERT
Suspected NTLM relay attack	ALERT_EXTERNAL_AATP_NTLM_RELAY_SECURITY_ALERT
Suspected overpass-the-hash attack (Kerberos)	ALERT_EXTERNAL_AATP_ABNORMAL_KERBEROS_OVERPASS_THE_HASH_SECURITY_ALERT
Suspected rogue Kerberos certificate usage	ALERT_EXTERNAL_AATP_ROGUE_CERTIFICATE_USAGE_SECURITY_ALERT
Suspected Skeleton Key attack (encryption downgrade)	ALERT_EXTERNAL_AATP_SKELETON_KEY_ENCRYPTION_DOWNGRADE_SECURITY_ALERT
Suspected SMB packet manipulation (CVE-2020-0796 exploitation) - (preview)	ALERT_EXTERNAL_AATP_SMB_GHOST_SECURITY_ALERT
Suspected use of Metasploit hacking framework	ALERT_EXTERNAL_AATP_ABNORMAL_SMB_METASPLOIT_SECURITY_ALERT
Suspected WannaCry ransomware attack	ALERT_EXTERNAL_AATP_ABNORMAL_SMB_WANNA_CRY_SECURITY_ALERT
Suspicious additions to sensitive groups	ALERT_EXTERNAL_AATP_ABNORMAL_SENSITIVE_GROUP_MEMBERSHIP_CHANGE_SECURITY_ALERT
Suspicious communication over DNS	ALERT_EXTERNAL_AATP_DNS_SUSPICIOUS_COMMUNICATION_SECURITY_ALERT
Suspicious service creation	ALERT_EXTERNAL_AATP_MALICIOUS_SERVICE_CREATION_SECURITY_ALERT
Suspicious VPN connection	ALERT_EXTERNAL_AATP_ABNORMAL_VPN_SECURITY_ALERT
User and Group membership reconnaissance (SAMR)	ALERT_EXTERNAL_AATP_SAMR_RECONNAISSANCE_SECURITY_ALERT
User and IP address reconnaissance (SMB)	ALERT_EXTERNAL_AATP_ENUMERATE_SESSIONS_SECURITY_ALERT

Note

To disable any security alert, contact support.

Microsoft Defender for Identity Security Alerts

Security alert name mapping and unique external IDs

See Also

Is this page helpful?

Feedback

Is this page helpful?