Azure azure_defender_for_resource_manager Mappings

Azure Defender for Resource Manager automatically monitors the resource management operations in your organization, whether they're performed through the Azure portal, Azure REST APIs, Azure CLI, or other Azure programmatic clients. Alerts are generated by threats detected in Azure Resource Manager logs and Azure Activity logs. Azure Defender runs advanced security analytics to detect threats and alert you about suspicious activity.

Mappings

Capability ID Capability Description Category Value ATT&CK ID ATT&CK Name Notes
azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1562 Impair Defenses
Comments
This control may alert on Windows Defender security features being disabled but does not alert on other security tools or logging being disabled or tampered with. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
References
azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1562.001 Disable or Modify Tools
Comments
The following alerts are available for Windows Defender security features being disabled but none for third party security tools: "Antimalware broad files exclusion in your virtual machine", "Antimalware disabled and code execution in your virtual machine", "Antimalware disabled in your virtual machine", "Antimalware file exclusion and code execution in your virtual machine", "Antimalware file exclusion in your virtual machine", "Antimalware real-time protection was disabled in your virtual machine", "Antimalware real-time protection was disabled temporarily in your virtual machine", "Antimalware real-time protection was disabled temporarily while code was executed in your virtual machine", "Antimalware temporarily disabled in your virtual machine", "Antimalware unusual file exclusion in your virtual machine".
References
    azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1580 Cloud Infrastructure Discovery
    Comments
    This control may alert on Cloud Infrastructure Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
    References
    azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1538 Cloud Service Dashboard
    Comments
    This control may alert on suspicious management activity based on IP, time, anomalous behaviour, or PowerShell usage. Machine learning algorithms are used to reduce false positives. The following alerts may be generated: "Activity from a risky IP address", "Activity from infrequent country", "Impossible travel activity", "Suspicious management session using PowerShell detected", "Suspicious management session using an inactive account detected", "Suspicious management session using Azure portal detected".
    References
    azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1526 Cloud Service Discovery
    Comments
    This control may alert on Cloud Service Discovery activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions".
    References
    azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1069 Permission Groups Discovery
    Comments
    This control may alert on Azure domain cloud groups discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
    References
    azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1069.003 Cloud Groups
    Comments
    This control may alert on Permission Groups Discovery of Cloud Groups activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
    References
      azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1087 Account Discovery
      Comments
      This control may alert on Azure cloud account discovery activity but may not provide alerts for other account types or undocumented exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score.
      References
      azure_defender_for_resource_manager Azure Defender for Resource Manager detect partial T1087.004 Cloud Account
      Comments
      This control may alert on Account Discovery of Cloud Accounts activity generated by specific toolkits, such as MicroBurst, PowerZure, etc. It may not generate alerts on undocumented discovery techniques or exploitation toolkits. The following alerts may be generated: "PowerZure exploitation toolkit used to enumerate storage containers, shares, and tables", "PowerZure exploitation toolkit used to enumerate resources", "MicroBurst exploitation toolkit used to enumerate resources in your subscriptions", "Azurite toolkit run detected".
      References
        azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1555 Credentials from Password Stores
        Comments
        This control may alert on credential dumping from Azure Key Vaults, App Services Configurations, and Automation accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "MicroBurst exploitation toolkit used to extract secrets from your Azure key vaults", "MicroBurst exploitation toolkit used to extract keys to your storage accounts".
        References
        azure_defender_for_resource_manager Azure Defender for Resource Manager detect minimal T1068 Exploitation for Privilege Escalation
        Comments
        This control may alert on escalation attempts from Azure AD to Azure accounts by specific exploitation toolkits. Consequently, its Coverage score is Minimal resulting in an overall Minimal score. The following alerts may be generated: "PowerZure exploitation toolkit used to elevate access from Azure AD to Azure".
        References