EXPLORE DETECTIONS
Attempt to Reset MFA Factors for an Okta User Account
Detects attempts to reset an Okta user's enrolled multi-factor authentication (MFA) factors. An adversary may attempt to reset the MFA factors for an Okta user's account in order to register new MFA factors and abuse the account to blend in with normal activity in the victim's environment.
Attempt to Revoke Okta API Token
Identifies attempts to revoke an Okta API token. An adversary may attempt to revoke or delete an Okta API token to disrupt an organization's business operations.
Attempt to Unload Elastic Endpoint Security Kernel Extension
Identifies attempts to unload the Elastic Endpoint Security kernel extension via the kextunload command.
Attempted Bypass of Okta MFA
Detects attempts to bypass Okta multi-factor authentication (MFA). An adversary may attempt to bypass the Okta MFA policies configured for an organization in order to obtain unauthorized access to an application.
Attempts of Kerberos Coercion Via DNS SPN Spoofing
Detects the presence of "UWhRC....AAYBAAAA" pattern in command line. The pattern "1UWhRCAAAAA..BAAAA" is a base64-encoded signature that corresponds to a marshaled CREDENTIAL_TARGET_INFORMATION structure. Attackers can use this technique to coerce authentication from victim systems to attacker-controlled hosts. It is one of the strong indicators of a Kerberos coercion attack, where adversaries manipulate DNS records to spoof Service Principal Names (SPNs) and redirect authentication requests like in CVE-2025-33073. If you see this pattern in the command line, it is likely an attempt to add spoofed Service Principal Names (SPNs) to DNS records, or checking for the presence of such records through the `nslookup` command.
Attempts to Brute Force an Okta User Account
Identifies when an Okta user account is locked out 3 times within a 3 hour window. An adversary may attempt a brute force or password spraying attack to obtain unauthorized access to user accounts. The default Okta authentication policy ensures that a user account is locked out after 10 failed authentication attempts.
Atypical Travel
Identifies two sign-ins originating from geographically distant locations, where at least one of the locations may also be atypical for the user, given past behavior.
Audio Capture
Detects attempts to record audio using the arecord and ecasound utilities.
Audio Capture via PowerShell
Detects audio capture via PowerShell Cmdlet.
Audio Capture via SoundRecorder
Detect attacker collecting audio via SoundRecorder application.
Audit CVE Event
Detects events generated by user-mode applications when they call the CveEventWrite API when a known vulnerability is trying to be exploited. MS started using this log in Jan. 2020 with CVE-2020-0601 (a Windows CryptoAPI vulnerability. Unfortunately, that is about the only instance of CVEs being written to this log.
Audit Justifications for PIM Requests
This query looks at the justification descriptions given for approval per role. use this to check users are PIM'ing up for the right roles for the right tasks
Audit Logic Apps with Office365 Connections using Resource Query
Credit: santisq
Audit Mandatory Office Days using Advanced Hunting
Success only
Audit Policy Tampering Via Auditpol
Threat actors can use auditpol binary to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Audit Policy Tampering Via NT Resource Kit Auditpol
Threat actors can use an older version of the auditpol binary available inside the NT resource kit to change audit policy configuration to impair detection capability. This can be carried out by selectively disabling/removing certain audit policies as well as restoring a custom policy owned by the threat actor.
Audit RBAC Changes Defender XDR
The query below can be used to monitor RBAC changes in Defender XDR. This query list additions, deletions and changes, if you only want to monitor specific actions you can enhance the query by filtering on the actiontype.
Audit Rules Deleted Via Auditctl
Detects the execution of 'auditctl' with the '-D' command line parameter, which deletes all configured audit rules and watches on Linux systems. This technique is commonly used by attackers to disable audit logging and cover their tracks by removing monitoring capabilities. Removal of audit rules can significantly impair detection of malicious activities on the affected system.
Audit User Marked as Compromised By Admin or App
Person who did the confirm Compromise. It may be an app
Audit User tries to change password to a non-complying password
use to tune threshold
Audit when PIM fails to remove an eligible member from role
Original Source: https://azurewithtom.com/posts/MSRC-Case-When-Temporary-Global-Admin-Rights-Don-t-Expire-in-Microsoft-Entra-PIM/
Auditing Configuration Changes on Linux Host
Detect changes in auditd configuration files
Authentication via Unusual PAM Grantor
This rule detects successful authentications via PAM grantors that are not commonly used. This could indicate an attacker is attempting to escalate privileges or maintain persistence on the system by modifying the default PAM configuration.
Authentications To Important Apps Using Single Factor Authentication
Detect when authentications to important application(s) only required single-factor authentication