
Summary
The Microsoft Graph Passthrough detection rule is designed to enhance security monitoring by utilizing the Microsoft Graph security API. This rule aggregates and analyzes data from an array of security providers such as Azure AD Identity Protection, Microsoft 365, Microsoft Defender (Cloud, Endpoint, Identity), and Microsoft Sentinel. It is particularly effective in identifying and responding to security events including anonymous login attempts and password spray attacks. By monitoring alert categories like 'AnonymousLogin' and 'PasswordSpray', this rule aids security teams in detecting non-standard user behavior and potential breaches. The use of evidence from these different sources allows for a comprehensive view of security incidents, enhancing threat detection capabilities. The rule operates under a deduplication system, ensuring that repeated alerts within a specified time frame (60 minutes) do not lead to alert fatigue, allowing teams to focus on genuine threats.
Categories
- Cloud
- Identity Management
- Network
- Application
Data Sources
- User Account
- Cloud Service
- Network Traffic
- Application Log
Created: 2022-12-13