M365 Defender (Incidents & Alerts)
content
Activities from suspicious user agents | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious browser | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Activity from a Tor IP address | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Activity from infrequent country | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin Submission Result Completed | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin triggered manual investigation of email | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin triggered user compromise investigation | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Admin confirmed user compromised | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Anomalous Token | anomalous token | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Token issuer anomaly | anomalous token | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Anonymous IP address | anonymous login | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Block SharePoint File Download | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Creation of forwarding/redirect rule | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-High volume of content detected U.S. Financial Data | data loss prevention | High | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-Low volume of content detected U.S. PII | data loss prevention | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-U.K. PII: Scan content shared outside - low count | data loss prevention | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
eDiscovery search started or exported | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email messages containing malicious file removed after delivery | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email messages containing malicious URL removed after delivery | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email messages from a campaign removed after delivery | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Email reported by user as malware or phish | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Email sending limit exceeded | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Honeytoken activity | honey token activity security alert | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Mail Forward Rule Enabled | mail flow | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Mailbox Permissions Change | access governance | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Malware detection | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Mass download | threat detection | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Mass download by a single user | threat detection | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Multiple failed user logon attempts to a service | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
New APP detected in Organization | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
New app with score 0-4 | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
New popular app | microsoft cloud app security | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
OAuthCreation | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Password spray | password spray | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Distributed Password cracking attempts in AzureAD | azure sentinel | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Explicit MFA Deny | azure sentinel | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Brute force attack against Azure Portal | azure sentinel | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Multiple Password Reset by user | azure sentinel | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Permission changes | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Phish delivered due to an ETR override | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Phish delivered due to an IP allow policy | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Remote code execution attempt | remote execution security alert | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious inbox manipulation rule | microsoft cloud app security | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Traffic detected from IP addresses recommended for blocking | network traffic from unrecommended ip | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Unfamiliar sign-in properties | unfamiliar location | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Unusual volume of file deletion | data governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Users targeted by phish campaigns | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Leaked credentials | leaked credentials | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Azure ad threat intelligence | threat intelligence | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Malicious ip address | anonymous login | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Additional risk detected | threat management | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Fail User Login Attempt | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Ergo-Flex Mail Flow | mail flow | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Unsanctioned Cloud App Access was Blocked | suspicious activity | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Phishing Attempts | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Sharepoint File Operation from New IP | data loss prevention | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Logon from an Outdated Browser | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
DLP-ID Number Policy | data loss prevention | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Stale Externally Shared Files | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
External Shared File | threat management | Variable | M365 Defender (Incidents & alerts) | AAD P2 | |
Uploaded Sensitive File to 3rd Party App or Service | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
365 Mailbox Permissions | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
User requested to release a quarantined message | threat management | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Granted Access to Another Mailbox | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Externally Shared Folder or Document | data loss prevention | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Externally Shared File | data governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Granted Mailbox Permission | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
New Application Added | microsoft cloud app security | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious Email Sending Patterns Detected | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Activity from a Password Spray Associated IP Address | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Privilege Accounts Sign In Failure Spikes | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Rare application consent | threat management | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Rare and potentially high-risk Office operations | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Attempt to bypass conditional access rule in Azure AD | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Potentially malicious url click detected | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Allow/block list entry is about to expire | exchange | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Unusual addition of credentials to an oauth app | microsoft cloud app security | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Elevation of exchange admin privilege | access governance | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious sequence of exploration activities | access governance | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
User restricted from sending email | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Multiple failed login attempts | threat management | Low | M365 Defender (Incidents & alerts) | AAD P2 | |
A user clicked through to a potentially malicious url | threat management | High | M365 Defender (Incidents & alerts) | AAD P2 | |
Suspicious authentication activity | access governance | Medium | M365 Defender (Incidents & alerts) | AAD P2 | |
Consent to application | Microsoft Cloud App Security | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Reset user password | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Reset password (by admin) | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Add conditional access policy | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 | |
Delete conditional access policy | Access Governance | Informational | M365 Defender (Incidents & alerts) | AAD P2 |