Skip to content

Commit 31b8223

Browse files
yelevinyelevin
authored
Removed discontinued anomalies
1 parent 4c8c6e1 commit 31b8223

File tree

1 file changed

+32
-27
lines changed

1 file changed

+32
-27
lines changed

articles/sentinel/anomalies-reference.md

Lines changed: 32 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,11 @@ Microsoft Sentinel uses two different models to create baselines and detect anom
1818
- [UEBA anomalies](#ueba-anomalies)
1919
- [Machine learning-based anomalies](#machine-learning-based-anomalies)
2020

21+
> [!NOTE]
22+
> The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:
23+
> - Domain Reputation Palo Alto anomaly
24+
> - Multi-region logins in a single day via Palo Alto GlobalProtect
25+
2126
[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
2227

2328
## UEBA anomalies
@@ -59,7 +64,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
5964
| Attribute | Value |
6065
| -------------------------------- | ------------------------------------------------------------------ |
6166
| **Anomaly type:** | UEBA |
62-
| **Data sources:** | Microsoft Entra audit logs |
67+
| **Data sources:** | Microsoft Entra audit logs |
6368
| **MITRE ATT&CK tactics:** | Persistence |
6469
| **MITRE ATT&CK techniques:** | T1136 - Create Account |
6570
| **MITRE ATT&CK sub-techniques:** | Cloud Account |
@@ -74,7 +79,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
7479
| Attribute | Value |
7580
| -------------------------------- | ------------------------------------------------------------------ |
7681
| **Anomaly type:** | UEBA |
77-
| **Data sources:** | Microsoft Entra audit logs |
82+
| **Data sources:** | Microsoft Entra audit logs |
7883
| **MITRE ATT&CK tactics:** | Impact |
7984
| **MITRE ATT&CK techniques:** | T1531 - Account Access Removal |
8085
| **Activity:** | Core Directory/UserManagement/Delete user<br>Core Directory/Device/Delete user<br>Core Directory/UserManagement/Delete user |
@@ -88,7 +93,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
8893
| Attribute | Value |
8994
| -------------------------------- | ------------------------------------------------------------------ |
9095
| **Anomaly type:** | UEBA |
91-
| **Data sources:** | Microsoft Entra audit logs |
96+
| **Data sources:** | Microsoft Entra audit logs |
9297
| **MITRE ATT&CK tactics:** | Persistence |
9398
| **MITRE ATT&CK techniques:** | T1098 - Account Manipulation |
9499
| **Activity:** | Core Directory/UserManagement/Update user |
@@ -135,7 +140,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
135140
| **MITRE ATT&CK tactics:** | Defense Evasion |
136141
| **MITRE ATT&CK techniques:** | T1562 - Impair Defenses |
137142
| **MITRE ATT&CK sub-techniques:** | Disable or Modify Tools<br>Disable or Modify Cloud Firewall |
138-
| **Activity:** | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete<br>Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete<br>Microsoft.Network/networkSecurityGroups/securityRules/delete<br>Microsoft.Network/networkSecurityGroups/delete<br>Microsoft.Network/ddosProtectionPlans/delete<br>Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete<br>Microsoft.Network/applicationSecurityGroups/delete<br>Microsoft.Authorization/policyAssignments/delete<br>Microsoft.Sql/servers/firewallRules/delete<br>Microsoft.Network/firewallPolicies/delete<br>Microsoft.Network/azurefirewalls/delete |
143+
| **Activity:** | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete<br>Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete<br>Microsoft.Network/networkSecurityGroups/securityRules/delete<br>Microsoft.Network/networkSecurityGroups/delete<br>Microsoft.Network/ddosProtectionPlans/delete<br>Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete<br>Microsoft.Network/applicationSecurityGroups/delete<br>Microsoft.Authorization/policyAssignments/delete<br>Microsoft.Sql/servers/firewallRules/delete<br>Microsoft.Network/firewallPolicies/delete<br>Microsoft.Network/azurefirewalls/delete |
139144

140145
[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
141146

@@ -146,7 +151,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
146151
| Attribute | Value |
147152
| -------------------------------- | ------------------------------------------------------------------ |
148153
| **Anomaly type:** | UEBA |
149-
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
154+
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
150155
| **MITRE ATT&CK tactics:** | Credential Access |
151156
| **MITRE ATT&CK techniques:** | T1110 - Brute Force |
152157
| **Activity:** | **Microsoft Entra ID:** Sign-in activity<br>**Windows Security:** Failed login (Event ID 4625) |
@@ -160,10 +165,10 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
160165
| Attribute | Value |
161166
| -------------------------------- | ------------------------------------------------------------------ |
162167
| **Anomaly type:** | UEBA |
163-
| **Data sources:** | Microsoft Entra audit logs |
168+
| **Data sources:** | Microsoft Entra audit logs |
164169
| **MITRE ATT&CK tactics:** | Impact |
165170
| **MITRE ATT&CK techniques:** | T1531 - Account Access Removal |
166-
| **Activity:** | Core Directory/UserManagement/User password reset |
171+
| **Activity:** | Core Directory/UserManagement/User password reset |
167172

168173
[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
169174

@@ -174,7 +179,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
174179
| Attribute | Value |
175180
| -------------------------------- | ------------------------------------------------------------------ |
176181
| **Anomaly type:** | UEBA |
177-
| **Data sources:** | Microsoft Entra audit logs |
182+
| **Data sources:** | Microsoft Entra audit logs |
178183
| **MITRE ATT&CK tactics:** | Persistence |
179184
| **MITRE ATT&CK techniques:** | T1098 - Account Manipulation |
180185
| **MITRE ATT&CK sub-techniques:** | Additional Azure Service Principal Credentials |
@@ -189,7 +194,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
189194
| Attribute | Value |
190195
| -------------------------------- | ------------------------------------------------------------------ |
191196
| **Anomaly type:** | UEBA |
192-
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
197+
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
193198
| **MITRE ATT&CK tactics:** | Persistence |
194199
| **MITRE ATT&CK techniques:** | T1078 - Valid Accounts |
195200
| **Activity:** | **Microsoft Entra ID:** Sign-in activity<br>**Windows Security:** Successful login (Event ID 4624) |
@@ -215,12 +220,12 @@ Microsoft Sentinel's customizable, machine learning-based anomalies can identify
215220
- [Attempted user account brute force per failure reason](#attempted-user-account-brute-force-per-failure-reason)
216221
- [Detect machine generated network beaconing behavior](#detect-machine-generated-network-beaconing-behavior)
217222
- [Domain generation algorithm (DGA) on DNS domains](#domain-generation-algorithm-dga-on-dns-domains)
218-
- [Domain Reputation Palo Alto anomaly](#domain-reputation-palo-alto-anomaly)
223+
- Domain Reputation Palo Alto anomaly (DISCONTINUED)
219224
- [Excessive data transfer anomaly](#excessive-data-transfer-anomaly)
220225
- [Excessive Downloads via Palo Alto GlobalProtect](#excessive-downloads-via-palo-alto-globalprotect)
221226
- [Excessive uploads via Palo Alto GlobalProtect](#excessive-uploads-via-palo-alto-globalprotect)
222227
- [Login from an unusual region via Palo Alto GlobalProtect account logins](#login-from-an-unusual-region-via-palo-alto-globalprotect-account-logins)
223-
- [Multi-region logins in a single day via Palo Alto GlobalProtect](#multi-region-logins-in-a-single-day-via-palo-alto-globalprotect)
228+
- Multi-region logins in a single day via Palo Alto GlobalProtect (DISCONTINUED)
224229
- [Potential data staging](#potential-data-staging)
225230
- [Potential domain generation algorithm (DGA) on next-level DNS Domains](#potential-domain-generation-algorithm-dga-on-next-level-dns-domains)
226231
- [Suspicious geography change in Palo Alto GlobalProtect account logins](#suspicious-geography-change-in-palo-alto-globalprotect-account-logins)
@@ -450,16 +455,16 @@ Configuration details:
450455

451456
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
452457

453-
### Domain Reputation Palo Alto anomaly
458+
### Domain Reputation Palo Alto anomaly (DISCONTINUED)
454459

455-
**Description:** This algorithm evaluates the reputation for all domains seen specifically in Palo Alto firewall (PAN-OS product) logs. A high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.
460+
**Description:** This algorithm evaluates the reputation for all domains seen specifically in Palo Alto firewall (PAN-OS product) logs. A high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.
456461

457-
| Attribute | Value |
458-
| -------------------------------- | ------------------------------------------------------------------ |
459-
| **Anomaly type:** | Customizable machine learning |
460-
| **Data sources:** | CommonSecurityLog (PAN) |
461-
| **MITRE ATT&CK tactics:** | Command and Control |
462-
| **MITRE ATT&CK techniques:** | T1568 - Dynamic Resolution |
462+
| Attribute | Value |
463+
| -------------------------------- | ------------------------------------------------------------------ |
464+
| **Anomaly type:** | Customizable machine learning |
465+
| **Data sources:** | CommonSecurityLog (PAN) |
466+
| **MITRE ATT&CK tactics:** | Command and Control |
467+
| **MITRE ATT&CK techniques:** | T1568 - Dynamic Resolution |
463468

464469
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
465470

@@ -515,16 +520,16 @@ Configuration details:
515520

516521
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
517522

518-
### Multi-region logins in a single day via Palo Alto GlobalProtect
523+
### Multi-region logins in a single day via Palo Alto GlobalProtect (DISCONTINUED)
519524

520-
**Description:** This algorithm detects a user account which had sign-ins from multiple non-adjacent regions in a single day through a Palo Alto VPN.
525+
**Description:** This algorithm detects a user account which had sign-ins from multiple non-adjacent regions in a single day through a Palo Alto VPN.
521526

522-
| Attribute | Value |
523-
| -------------------------------- | ------------------------------------------------------------------ |
524-
| **Anomaly type:** | Customizable machine learning |
525-
| **Data sources:** | CommonSecurityLog (PAN VPN) |
526-
| **MITRE ATT&CK tactics:** | Defense Evasion<br>Initial Access |
527-
| **MITRE ATT&CK techniques:** | T1078 - Valid Accounts |
527+
| Attribute | Value |
528+
| -------------------------------- | ------------------------------------------------------------------ |
529+
| **Anomaly type:** | Customizable machine learning |
530+
| **Data sources:** | CommonSecurityLog (PAN VPN) |
531+
| **MITRE ATT&CK tactics:** | Defense Evasion<br>Initial Access |
532+
| **MITRE ATT&CK techniques:** | T1078 - Valid Accounts |
528533

529534
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
530535

0 commit comments

Comments
 (0)