Skip to content

Commit 88325cb

Browse files
prmerger-automator[bot]prmerger-automator[bot]
authored
Merge pull request #271726 from yelevin/patch-2
Removed discontinued anomalies
2 parents b9f0fcf + 9195400 commit 88325cb

File tree

2 files changed

+27
-27
lines changed

2 files changed

+27
-27
lines changed

articles/sentinel/anomalies-reference.md

Lines changed: 18 additions & 27 deletions
Original file line numberDiff line numberDiff line change
@@ -18,6 +18,11 @@ Microsoft Sentinel uses two different models to create baselines and detect anom
1818
- [UEBA anomalies](#ueba-anomalies)
1919
- [Machine learning-based anomalies](#machine-learning-based-anomalies)
2020

21+
> [!NOTE]
22+
> The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:
23+
> - Domain Reputation Palo Alto anomaly
24+
> - Multi-region logins in a single day via Palo Alto GlobalProtect
25+
2126
[!INCLUDE [unified-soc-preview](includes/unified-soc-preview.md)]
2227

2328
## UEBA anomalies
@@ -59,7 +64,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
5964
| Attribute | Value |
6065
| -------------------------------- | ------------------------------------------------------------------ |
6166
| **Anomaly type:** | UEBA |
62-
| **Data sources:** | Microsoft Entra audit logs |
67+
| **Data sources:** | Microsoft Entra audit logs |
6368
| **MITRE ATT&CK tactics:** | Persistence |
6469
| **MITRE ATT&CK techniques:** | T1136 - Create Account |
6570
| **MITRE ATT&CK sub-techniques:** | Cloud Account |
@@ -74,7 +79,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
7479
| Attribute | Value |
7580
| -------------------------------- | ------------------------------------------------------------------ |
7681
| **Anomaly type:** | UEBA |
77-
| **Data sources:** | Microsoft Entra audit logs |
82+
| **Data sources:** | Microsoft Entra audit logs |
7883
| **MITRE ATT&CK tactics:** | Impact |
7984
| **MITRE ATT&CK techniques:** | T1531 - Account Access Removal |
8085
| **Activity:** | Core Directory/UserManagement/Delete user<br>Core Directory/Device/Delete user<br>Core Directory/UserManagement/Delete user |
@@ -88,7 +93,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
8893
| Attribute | Value |
8994
| -------------------------------- | ------------------------------------------------------------------ |
9095
| **Anomaly type:** | UEBA |
91-
| **Data sources:** | Microsoft Entra audit logs |
96+
| **Data sources:** | Microsoft Entra audit logs |
9297
| **MITRE ATT&CK tactics:** | Persistence |
9398
| **MITRE ATT&CK techniques:** | T1098 - Account Manipulation |
9499
| **Activity:** | Core Directory/UserManagement/Update user |
@@ -135,7 +140,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
135140
| **MITRE ATT&CK tactics:** | Defense Evasion |
136141
| **MITRE ATT&CK techniques:** | T1562 - Impair Defenses |
137142
| **MITRE ATT&CK sub-techniques:** | Disable or Modify Tools<br>Disable or Modify Cloud Firewall |
138-
| **Activity:** | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete<br>Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete<br>Microsoft.Network/networkSecurityGroups/securityRules/delete<br>Microsoft.Network/networkSecurityGroups/delete<br>Microsoft.Network/ddosProtectionPlans/delete<br>Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete<br>Microsoft.Network/applicationSecurityGroups/delete<br>Microsoft.Authorization/policyAssignments/delete<br>Microsoft.Sql/servers/firewallRules/delete<br>Microsoft.Network/firewallPolicies/delete<br>Microsoft.Network/azurefirewalls/delete |
143+
| **Activity:** | Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/rules/baselines/delete<br>Microsoft.Sql/managedInstances/databases/vulnerabilityAssessments/delete<br>Microsoft.Network/networkSecurityGroups/securityRules/delete<br>Microsoft.Network/networkSecurityGroups/delete<br>Microsoft.Network/ddosProtectionPlans/delete<br>Microsoft.Network/ApplicationGatewayWebApplicationFirewallPolicies/delete<br>Microsoft.Network/applicationSecurityGroups/delete<br>Microsoft.Authorization/policyAssignments/delete<br>Microsoft.Sql/servers/firewallRules/delete<br>Microsoft.Network/firewallPolicies/delete<br>Microsoft.Network/azurefirewalls/delete |
139144

140145
[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
141146

@@ -146,7 +151,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
146151
| Attribute | Value |
147152
| -------------------------------- | ------------------------------------------------------------------ |
148153
| **Anomaly type:** | UEBA |
149-
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
154+
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
150155
| **MITRE ATT&CK tactics:** | Credential Access |
151156
| **MITRE ATT&CK techniques:** | T1110 - Brute Force |
152157
| **Activity:** | **Microsoft Entra ID:** Sign-in activity<br>**Windows Security:** Failed login (Event ID 4625) |
@@ -160,10 +165,10 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
160165
| Attribute | Value |
161166
| -------------------------------- | ------------------------------------------------------------------ |
162167
| **Anomaly type:** | UEBA |
163-
| **Data sources:** | Microsoft Entra audit logs |
168+
| **Data sources:** | Microsoft Entra audit logs |
164169
| **MITRE ATT&CK tactics:** | Impact |
165170
| **MITRE ATT&CK techniques:** | T1531 - Account Access Removal |
166-
| **Activity:** | Core Directory/UserManagement/User password reset |
171+
| **Activity:** | Core Directory/UserManagement/User password reset |
167172

168173
[Back to UEBA anomalies list](#ueba-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
169174

@@ -174,7 +179,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
174179
| Attribute | Value |
175180
| -------------------------------- | ------------------------------------------------------------------ |
176181
| **Anomaly type:** | UEBA |
177-
| **Data sources:** | Microsoft Entra audit logs |
182+
| **Data sources:** | Microsoft Entra audit logs |
178183
| **MITRE ATT&CK tactics:** | Persistence |
179184
| **MITRE ATT&CK techniques:** | T1098 - Account Manipulation |
180185
| **MITRE ATT&CK sub-techniques:** | Additional Azure Service Principal Credentials |
@@ -189,7 +194,7 @@ You must [enable the UEBA feature](enable-entity-behavior-analytics.md) for UEBA
189194
| Attribute | Value |
190195
| -------------------------------- | ------------------------------------------------------------------ |
191196
| **Anomaly type:** | UEBA |
192-
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
197+
| **Data sources:** | Microsoft Entra sign-in logs<br>Windows Security logs |
193198
| **MITRE ATT&CK tactics:** | Persistence |
194199
| **MITRE ATT&CK techniques:** | T1078 - Valid Accounts |
195200
| **Activity:** | **Microsoft Entra ID:** Sign-in activity<br>**Windows Security:** Successful login (Event ID 4624) |
@@ -215,12 +220,12 @@ Microsoft Sentinel's customizable, machine learning-based anomalies can identify
215220
- [Attempted user account brute force per failure reason](#attempted-user-account-brute-force-per-failure-reason)
216221
- [Detect machine generated network beaconing behavior](#detect-machine-generated-network-beaconing-behavior)
217222
- [Domain generation algorithm (DGA) on DNS domains](#domain-generation-algorithm-dga-on-dns-domains)
218-
- [Domain Reputation Palo Alto anomaly](#domain-reputation-palo-alto-anomaly)
223+
- Domain Reputation Palo Alto anomaly (DISCONTINUED)
219224
- [Excessive data transfer anomaly](#excessive-data-transfer-anomaly)
220225
- [Excessive Downloads via Palo Alto GlobalProtect](#excessive-downloads-via-palo-alto-globalprotect)
221226
- [Excessive uploads via Palo Alto GlobalProtect](#excessive-uploads-via-palo-alto-globalprotect)
222227
- [Login from an unusual region via Palo Alto GlobalProtect account logins](#login-from-an-unusual-region-via-palo-alto-globalprotect-account-logins)
223-
- [Multi-region logins in a single day via Palo Alto GlobalProtect](#multi-region-logins-in-a-single-day-via-palo-alto-globalprotect)
228+
- Multi-region logins in a single day via Palo Alto GlobalProtect (DISCONTINUED)
224229
- [Potential data staging](#potential-data-staging)
225230
- [Potential domain generation algorithm (DGA) on next-level DNS Domains](#potential-domain-generation-algorithm-dga-on-next-level-dns-domains)
226231
- [Suspicious geography change in Palo Alto GlobalProtect account logins](#suspicious-geography-change-in-palo-alto-globalprotect-account-logins)
@@ -450,17 +455,10 @@ Configuration details:
450455

451456
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
452457

453-
### Domain Reputation Palo Alto anomaly
458+
### Domain Reputation Palo Alto anomaly (DISCONTINUED)
454459

455460
**Description:** This algorithm evaluates the reputation for all domains seen specifically in Palo Alto firewall (PAN-OS product) logs. A high anomaly score indicates a low reputation, suggesting that the domain has been observed to host malicious content or is likely to do so.
456461

457-
| Attribute | Value |
458-
| -------------------------------- | ------------------------------------------------------------------ |
459-
| **Anomaly type:** | Customizable machine learning |
460-
| **Data sources:** | CommonSecurityLog (PAN) |
461-
| **MITRE ATT&CK tactics:** | Command and Control |
462-
| **MITRE ATT&CK techniques:** | T1568 - Dynamic Resolution |
463-
464462
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
465463

466464
### Excessive data transfer anomaly
@@ -515,17 +513,10 @@ Configuration details:
515513

516514
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
517515

518-
### Multi-region logins in a single day via Palo Alto GlobalProtect
516+
### Multi-region logins in a single day via Palo Alto GlobalProtect (DISCONTINUED)
519517

520518
**Description:** This algorithm detects a user account which had sign-ins from multiple non-adjacent regions in a single day through a Palo Alto VPN.
521519

522-
| Attribute | Value |
523-
| -------------------------------- | ------------------------------------------------------------------ |
524-
| **Anomaly type:** | Customizable machine learning |
525-
| **Data sources:** | CommonSecurityLog (PAN VPN) |
526-
| **MITRE ATT&CK tactics:** | Defense Evasion<br>Initial Access |
527-
| **MITRE ATT&CK techniques:** | T1078 - Valid Accounts |
528-
529520
[Back to Machine learning-based anomalies list](#machine-learning-based-anomalies) | [Back to top](#anomalies-detected-by-the-microsoft-sentinel-machine-learning-engine)
530521

531522
### Potential data staging

articles/sentinel/whats-new.md

Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -22,6 +22,7 @@ The listed features were released in the last three months. For information abou
2222

2323
- [Unified security operations platform in the Microsoft Defender portal (preview)](#unified-security-operations-platform-in-the-microsoft-defender-portal-preview)
2424
- [Microsoft Sentinel now generally available (GA) in Azure China 21Vianet](#microsoft-sentinel-now-generally-available-ga-in-azure-china-21vianet)
25+
- [Two anomaly detections discontinued](#two-anomaly-detections-discontinued)
2526

2627
### Unified security operations platform in the Microsoft Defender portal (preview)
2728

@@ -38,6 +39,14 @@ Microsoft Sentinel is now generally available (GA) in Azure China 21Vianet. Indi
3839

3940
For more information, see also [Geographical availability and data residency in Microsoft Sentinel](geographical-availability-data-residency.md).
4041

42+
### Two anomaly detections discontinued
43+
44+
The following anomaly detections are discontinued as of March 26, 2024, due to low quality of results:
45+
- Domain Reputation Palo Alto anomaly
46+
- Multi-region logins in a single day via Palo Alto GlobalProtect
47+
48+
For the complete list of anomaly detections, see the [anomalies reference page](anomalies-reference.md).
49+
4150
## March 2024
4251

4352
- [SIEM migration experience now generally available (GA)](#siem-migration-experience-now-generally-available-ga)

0 commit comments

Comments
 (0)