Beacon

Appearance

Identity Rules

6 detection rules in this category.

RuleSeverityMITRESource
Admin role assignedHighT1098.001AuditLog
Conditional Access policy deletedHighT1562.001AuditLog
Federation settings changedCriticalT1484.002AuditLog
Global Administrator role assignedCriticalT1098.001AuditLog
MFA disabled for userCriticalT1556.006AuditLog
User password reset by adminMediumT1098AuditLog

Admin role assigned

PropertyValue
Severity🟠 High
SourceAuditLog
MITRET1098.001 (Persistence)

User added to an administrative role

Conditions
  • Match: all
  • Operation Equals Add member to role
  • ModifiedProperties Contains Admin

Conditional Access policy deleted

PropertyValue
Severity🟠 High
SourceAuditLog
MITRET1562.001 (Defense Evasion)

Conditional Access policy deleted

Conditions
  • Match: all
  • Operation Equals Delete conditional access policy

Federation settings changed

PropertyValue
Severity🔴 Critical
SourceAuditLog
MITRET1484.002 (Defense Evasion)

Domain federation settings modified - potential backdoor

Conditions
  • Match: all
  • Operation Equals Set domain authentication

Global Administrator role assigned

PropertyValue
Severity🔴 Critical
SourceAuditLog
MITRET1098.001 (Persistence)

User added to Global Administrator role

Conditions
  • Match: all
  • Operation Equals Add member to role
  • ModifiedProperties Contains Global Administrator

MFA disabled for user

PropertyValue
Severity🔴 Critical
SourceAuditLog
MITRET1556.006 (Defense Evasion)

Multi-factor authentication disabled for a user

Conditions
  • Match: all
  • Operation Equals Disable Strong Authentication

User password reset by admin

PropertyValue
Severity🟡 Medium
SourceAuditLog
MITRET1098 (Persistence)

Administrator reset a user's password (actor differs from target)

Conditions
  • Match: all
  • Operation Equals Reset user password
  • InitiatedBy.User.UserPrincipalName NotEquals {⁠{TargetResources.0.UserPrincipalName}⁠}