Welcome to our security detection and report update. Our Incident Detection Engineering (IDE) Team is constantly hard at work. Creating, testing, and writing detections for you! This week, we've made several important updates to improve your security posture and enhance the functionality of our detections. As you might know, monthly, we also release an overview of the entirety of what was changed in the product. However in these updates we'll focus on the net new content that IDE provides on an ongoing basis, musings from our team, and maybe the occasional horoscope if you're lucky.
Not all detections are meant to last a lifetime. Every now and then one is retired and replaced with new and exciting logic.
"Don't cry because it's over. Smile because it happened."
Dr. Seuss
This update introduces:
When a Microsoft 365 request has been made to retrieve a Primary Refresh Token through a device code flow via the device registration service within Azure. This can be done as a normal part of a joining a machine to Entra ID. However, research has shown that this device registration service can be abused, for example through phishing attempts, to gain access to a user''s account and maintain it.
When a high number of Windows group enumeration events have been identified in your environment. This is likely related to legitimate administrative or automated service activity such as RMM tools, vulnerability scanners, or backup software. However, it should still be reviewed and confirmed as expected behavior by the responsible accounts. Threat actors may conduct similar reconnaissance when initially landing in an environment with a goal of understanding their permissions and to identify other, more highly privileged accounts. Current default threshold is 100 or more events in a 15 minute window.
This detection will be replaced with several new MFA detections