EXPLORE DETECTIONS
Azure Keyvault Secrets Modified or Deleted
Identifies when secrets are modified or deleted in Azure.
Azure Kubernetes Admission Controller
Identifies when an admission controller is executed in Azure Kubernetes. A Kubernetes Admission controller intercepts, and possibly modifies, requests to the Kubernetes API server. The behavior of this admission controller is determined by an admission webhook (MutatingAdmissionWebhook or ValidatingAdmissionWebhook) that the user deploys in the cluster. An adversary can use such webhooks as the MutatingAdmissionWebhook for obtaining persistence in the cluster. For example, attackers can intercept and modify the pod creation operations in the cluster and add their malicious container to every created pod. An adversary can use the webhook ValidatingAdmissionWebhook, which could be used to obtain access credentials. An adversary could use the webhook to intercept the requests to the API server, record secrets, and other sensitive information.
Azure Kubernetes Cluster Created or Deleted
Detects when a Azure Kubernetes Cluster is created or deleted.
Azure Kubernetes CronJob
Identifies when a Azure Kubernetes CronJob runs in Azure Cloud. Kubernetes Job is a controller that creates one or more pods and ensures that a specified number of them successfully terminate. Kubernetes Job can be used to run containers that perform finite tasks for batch jobs. Kubernetes CronJob is used to schedule Jobs. An Adversary may use Kubernetes CronJob for scheduling execution of malicious code that would run as a container in the cluster.
Azure Kubernetes Events Deleted
Detects when Events are deleted in Azure Kubernetes. An adversary may delete events in Azure Kubernetes in an attempt to evade detection.
Azure Kubernetes Network Policy Change
Identifies when a Azure Kubernetes network policy is modified or deleted.
Azure Kubernetes Pods Deleted
Identifies the deletion of Azure Kubernetes Pods.
Azure Kubernetes RoleBinding/ClusterRoleBinding Modified and Deleted
Detects the creation or patching of potential malicious RoleBinding/ClusterRoleBinding.
Azure Kubernetes Secret or Config Object Access
Identifies when a Kubernetes account access a sensitive objects such as configmaps or secrets.
Azure Kubernetes Sensitive Role Access
Identifies when ClusterRoles/Roles are being modified or deleted.
Azure Kubernetes Service Account Modified or Deleted
Identifies when a service account is modified or deleted.
Azure Login Bypassing Conditional Access Policies
Detects a successful login to the Microsoft Intune Company Portal which could allow bypassing Conditional Access Policies and InTune device trust using a tool like TokenSmith.
Azure Network Firewall Policy Modified or Deleted
Identifies when a Firewall Policy is Modified or Deleted.
Azure Network Security Configuration Modified or Deleted
Identifies when a network security configuration is modified or deleted.
Azure New CloudShell Created
Identifies when a new cloudshell is created inside of Azure portal.
Azure Owner Removed From Application or Service Principal
Identifies when a owner is was removed from a application or service principal in Azure.
Azure Point-to-site VPN Modified or Deleted
Identifies when a Point-to-site VPN is Modified or Deleted.
Azure Service Principal Created
Identifies when a service principal is created in Azure.
Azure Service Principal Removed
Identifies when a service principal was removed in Azure.
Azure Sign-In With Axios User Agent
Detects sign-in attempts in Azure/Entra ID logs where the user agent contains "axios", indicating potential use of automated credential harvesting or AiTM phishing infrastructure. Axios is a Node.js HTTP client abused to intercept and replay stolen credentials and MFA tokens. When triaging results, analysts should: - Check the sign-in risk level, MFA status, and conditional access results for signs of bypass. - Look for sign-ins from unusual locations or IPs, especially if the same IP targets multiple accounts. - Prioritize successful sign-ins over failed ones, as they may indicate a completed credential replay or AiTM attack.
Azure Subscription Permission Elevation Via ActivityLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Azure Subscription Permission Elevation Via AuditLogs
Detects when a user has been elevated to manage all Azure Subscriptions. This change should be investigated immediately if it isn't planned. This setting could allow an attacker access to Azure subscriptions in your environment.
Azure Suppression Rule Created
Identifies when a suppression rule is created in Azure. Adversary's could attempt this to evade detection.
Azure Unusual Authentication Interruption
Detects when there is a interruption in the authentication process.