This repository was archived by the owner on Feb 12, 2025. It is now read-only.
This repository was archived by the owner on Feb 12, 2025. It is now read-only.
Incomplete list of Alerts #682
Description
[Enter feedback here]
Greetings!
I have noticed that the list of alerts at this page is incomplete. A customer requested log details being sent to Sentinel or a SIEM to identify the correct alert names.
Will it be possible to add sample logs for the below (and perhaps more) missing alerts?
- Suspected exploitation attempt on Windows Print Spooler service (external ID 2415)
- Suspected NTLM relay attack (Exchange account) (external ID 2037)
- Suspected rogue Kerberos certificate usage (external ID 2047)
- Suspected SMB packet manipulation (CVE-2020-0796 exploitation) (external ID 2406)
- Exchange Server Remote Code Execution (CVE-2021-26855) (external ID 2414)
- Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) (external ID 2419)
- Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) (external ID 2411)
- Suspected AS-REP Roasting attack (external ID 2412)
- Suspected Golden Ticket usage (ticket anomaly using RBCD) (external ID 2040)
- Suspicious edit of the Resource Based Constrained Delegation Attribute by a machine account (KrbRelayUp)
- Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) (external ID 2048)
Regards
Document Details
⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.
- ID: 4ff82a4d-1c0d-7d05-f383-78a5506dda02
- Version Independent ID: 02bd7bc8-76ca-2511-93cb-f3f3de46337d
- Content: SIEM log reference - Microsoft Defender for Identity
- Content Source: ATPDocs/cef-format-sa.md
- Service: microsoft-defender-for-identity
- GitHub Login: @batamig
- Microsoft Alias: bagol