M365 Defender (Incidents & Alerts)
M365 Defender Incidents aggregate related alerts to provide a comprehensive view of a potential threat. Alerts represent specific suspicious activities or behaviors, such as malware detection, phishing attempts, or unusual login patterns. Each alert type helps identify and respond to different security threats effectively. These are the alerts collected and monitored by Augmentt:
Name | Category | Severity | Description | Source | Licensing |
|---|---|---|---|---|---|
Activities from suspicious user agents | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious browser | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Activity from a Tor IP address | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Activity from infrequent country | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin Submission Result Completed | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin triggered manual investigation of email | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin triggered user compromise investigation | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin confirmed user compromised | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Anomalous Token | anomalous token | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Token issuer anomaly | anomalous token | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Anonymous IP address | anonymous login | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Block SharePoint File Download | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Creation of forwarding/redirect rule | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-High volume of content detected U.S. Financial Data | data loss prevention | High | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-Low volume of content detected U.S. PII | data loss prevention | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-U.K. PII: Scan content shared outside - low count | data loss prevention | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
eDiscovery search started or exported | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email messages containing malicious file removed after delivery | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email messages containing malicious URL removed after delivery | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email messages from a campaign removed after delivery | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email reported by user as malware or phish | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Email sending limit exceeded | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Honeytoken activity | honey token activity security alert | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Mail Forward Rule Enabled | mail flow | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Mailbox Permissions Change | access governance | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Malware detection | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Mass download | threat detection | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Mass download by a single user | threat detection | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Multiple failed user logon attempts to a service | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
New APP detected in Organization | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
New app with score 0-4 | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
New popular app | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
OAuthCreation | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Password spray | password spray | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Distributed Password cracking attempts in AzureAD | azure sentinel | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Explicit MFA Deny | azure sentinel | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Brute force attack against Azure Portal | azure sentinel | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Multiple Password Reset by user | azure sentinel | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Permission changes | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Phish delivered due to an ETR override | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Phish delivered due to an IP allow policy | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Remote code execution attempt | remote execution security alert | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious inbox manipulation rule | microsoft cloud app security | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Traffic detected from IP addresses recommended for blocking | network traffic from unrecommended ip | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Unfamiliar sign-in properties | unfamiliar location | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Unusual volume of file deletion | data governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Users targeted by phish campaigns | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Leaked credentials | leaked credentials | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Azure ad threat intelligence | threat intelligence | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Malicious ip address | anonymous login | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Additional risk detected | threat management | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Fail User Login Attempt | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Ergo-Flex Mail Flow | mail flow | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Unsanctioned Cloud App Access was Blocked | suspicious activity | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Phishing Attempts | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Sharepoint File Operation from New IP | data loss prevention | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Logon from an Outdated Browser | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-ID Number Policy | data loss prevention | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Stale Externally Shared Files | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
External Shared File | threat management | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Uploaded Sensitive File to 3rd Party App or Service | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
365 Mailbox Permissions | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
User requested to release a quarantined message | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Granted Access to Another Mailbox | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Externally Shared Folder or Document | data loss prevention | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Externally Shared File | data governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Granted Mailbox Permission | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
New Application Added | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious Email Sending Patterns Detected | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Activity from a Password Spray Associated IP Address | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Privilege Accounts Sign In Failure Spikes | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Rare application consent | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Rare and potentially high-risk Office operations | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Attempt to bypass conditional access rule in Azure AD | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Potentially malicious url click detected | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Allow/block list entry is about to expire | exchange | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Unusual addition of credentials to an oauth app | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Elevation of exchange admin privilege | access governance | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious sequence of exploration activities | access governance | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
User restricted from sending email | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Multiple failed login attempts | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
A user clicked through to a potentially malicious url | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious authentication activity | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Consent to application | Microsoft Cloud App Security | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Reset user password | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Reset password (by admin) | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Add conditional access policy | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Delete conditional access policy | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 |