removed repeated alerts

Author: AbbyMSFT

ATPDocs/alerts-mdi-classic.md

@@ -37,7 +37,6 @@ The following security alerts help you identify and remediate **Reconnaissance a
 |<a name="user-and-group-membership-reconnaissance-samr"></a><details><summary>User and Group membership reconnaissance (SAMR)</summary><br>**Previous name**: Reconnaissance using directory services queries.<br><br>**Description**:<br>User and group membership reconnaissance are used by attackers to map the directory structure and target privileged accounts for later steps in their attack. The Security Account Manager Remote (SAM-R) protocol is one of the methods used to query the directory to perform this type of mapping.<br>In this detection, no alerts are triggered in the first month after Defender for Identity is deployed (learning period). During the learning period, Defender for Identity profiles which SAM-R queries are made from which computers, both enumeration and individual queries of sensitive accounts.<br><br>**Learning period**: Four weeks per domain controller starting from the first network activity of SAMR against the specific DC.<br><br>**MITRE**:<br> -  **Primary MITRE tactic**: [Discovery (TA0007)](https://attack.mitre.org/tactics/TA0007) <br> -  **MITRE attack technique**: [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/), [Permission Groups Discovery (T1069)](https://attack.mitre.org/techniques/T1069/)    <br> -  **MITRE attack sub-technique**:  [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/), [Domain Group (T1069.002)](https://attack.mitre.org/techniques/T1069/002/)    <br><br>**Suggested steps for prevention**:<br> - Apply Network access and restrict clients allowed to make remote calls to SAM group policy.</details>|Medium|2021|
 |<a name="active-directory-attributes-reconnaissance-ldap"></a><details><summary>Active Directory attributes reconnaissance (LDAP) </summary><br>**Description**:<br>Active Directory LDAP reconnaissance is used by attackers to gain critical information about the domain environment. This information can help attackers map the domain structure, as well as identify privileged accounts for use in later steps in their attack kill chain. Lightweight Directory Access Protocol (LDAP) is one of the most popular methods used for both legitimate and malicious purposes to query Active Directory.<br><br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Discovery (TA0007)](https://attack.mitre.org/tactics/TA0007)<br> - **MITRE attack technique**: [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/), [System Network Connections Discovery (T1049)](https://attack.mitre.org/techniques/T1049/)<br> - **MITRE attack sub-technique**: [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/)<br></details>|Medium|2210|
 |<a name="honeytoken-was-queried-via-ldap"></a><details><summary>Honeytoken was queried via LDAP </summary><br>**Description**:<br>User reconnaissance is used by attackers to map the directory structure and target privileged accounts for later steps in their attack. Lightweight Directory Access Protocol (LDAP) is one of the most popular methods used for both legitimate and malicious purposes to query Active Directory.<br>In this detection, Microsoft Defender for Identity will trigger this alert for any reconnaissance activities against a pre-configured [honeytoken user](entity-tags.md).<br><br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Discovery (TA0007)](https://attack.mitre.org/tactics/TA0007)<br> - **MITRE attack technique**: [Account Discovery (T1087)](https://attack.mitre.org/techniques/T1087/), [Permission Groups Discovery (T1069)](https://attack.mitre.org/techniques/T1069/)<br> - **MITRE attack sub-technique**: [Domain Account (T1087.002)](https://attack.mitre.org/techniques/T1087/002/), [Domain Group (T1069.002)](https://attack.mitre.org/techniques/T1069/002/)</details>|Low|2429|
-|<a name="suspicious-okta-account-enumeration"></a><details><summary>Suspicious Okta account Enumeration </summary><br>**Description**:<br>In account enumeration, attackers will try to guess user names by performing logins into Okta with users which are not belonged to the organization. <br>We will recommend investigating to source IP performing the failed attempts and determine whether they are legitimate or not. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Initial Access (TA0001)](https://attack.mitre.org/tactics/TA0001/), [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005/), [Persistence (TA0003)](https://attack.mitre.org/tactics/TA0003/), [Privilege Escalation (TA0004)](https://attack.mitre.org/tactics/TA0004/)<br> - **MITRE attack technique**: [Valid Accounts (T1078)](https://attack.mitre.org/techniques/T1087/)<br> - **MITRE attack sub-technique**: [Cloud Accounts (T1078.004)](https://attack.mitre.org/techniques/T1078/004/)</details>|High|  |
 
 
 ## Persistence and privilege escalation alerts
@@ -90,8 +89,6 @@ The following security alerts help you identify and remediate **Credential acces
 |<a name="abnormal-active-directory-federation-services-ad-fs-authentication-using-a-suspicious-certificate"></a><details><summary>Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate </summary><br>**Description**:<br>Anomalous authentication attempts using suspicious certificates in Active Directory Federation Services (AD FS) might indicate potential security breaches. Monitoring and validating certificates during AD FS authentication are crucial for preventing unauthorized access. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Forge Web Credentials (T1606)](https://attack.mitre.org/techniques/T1606/)<br> - **MITRE attack sub-technique**: N/A<br>> **Note**:> Abnormal Active Directory Federation Services (AD FS) authentication using a suspicious certificate alerts are only supported by Defender for Identity sensors on AD FS.</details>|High|2424|
 |<a name="suspected-account-takeover-using-shadow-credentials"></a><details><summary>Suspected account takeover using shadow credentials </summary><br>**Description**:<br>The use of shadow credentials in an account takeover attempt suggests malicious activity. Attackers may attempt to exploit weak or compromised credentials to gain unauthorized access and control over user accounts. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> -**MITRE attack technique**: [OS Credential Dumping (T1003)](https://attack.mitre.org/techniques/T1003/)<br> - **MITRE attack sub-technique**: N/A </details>|High|2431|
 |<a name="suspected-suspicious-kerberos-ticket-request"></a><details><summary>Suspected suspicious Kerberos ticket request </summary><br>**Description**:<br>This attack involves the suspicion of abnormal Kerberos ticket requests. Attackers might attempt to exploit vulnerabilities in the Kerberos authentication process, potentially leading to unauthorized access and compromise of the security infrastructure.<br><br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br>- **Secondary MITRE tactic**: [Collection (TA0009)](https://attack.mitre.org/tactics/TA0009) <br> - **MITRE attack technique**: [Adversary-in-the-Middle (T1557)](https://attack.mitre.org/techniques/T1557/)<br> - **MITRE attack sub-technique**: [LLMNR/NBT-NS Poisoning and SMB Relay (T1557.001)](https://attack.mitre.org/techniques/T1557/001/)</details>|High|2418|
-|<a name="password-spray-against-onelogin"></a><details><summary>Password spray against OneLogin </summary><br>**Description**:<br>In Password spray, attackers try to guess small subset of passwords against large number of users. This is done in order to try to find if any of the users is using known\weak password. <br>We recommend investigating the source IP performing the failed logins to determine whether they're legitimate or not. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Brute Force (T1110)](https://attack.mitre.org/techniques/T1110/)<br> - **MITRE attack sub-technique**: [Password Spraying (T1110.003)](https://attack.mitre.org/techniques/T1110/003/)</details>|High|    |
-|<a name="suspicious-onelogin-mfa-fatigue"></a><details><summary>Suspicious OneLogin MFA fatigue </summary><br>**Description**:<br>In MFA fatigue, attackers send multiple MFA attempts to user while trying to make them feel there's a bug in the system that keeps showing MFA requests which ask to allow the login or deny. Attackers try to force the victim to allow the login, which will stop the notifications and allow the attacker to login to the system.<br>We recommend investigating the source IP performing the failed MFA attempts to determine whether they're legitimate or not and if the user is performing logins. <br>**Learning period**: None<br> - **MITRE**:<br> - **Primary MITRE tactic**: [Credential Access (TA0006)](https://attack.mitre.org/tactics/TA0006) <br> - **MITRE attack technique**: [Multifactor Authentication Request Generation (T1621)](https://attack.mitre.org/techniques/T1621/)<br> - **MITRE attack sub-technique**: N/A</details>|High|    |
 
 
 ## Lateral movement alerts
@@ -134,7 +131,6 @@ The following security alerts help you identify and remediate **Other** phase su
 |<a name="suspicious-deletion-of-the-certificate-database-entries"></a><details><summary>Suspicious deletion of the certificate database entries </summary><br>**Description**:<br>The deletion of certificate database entries is a red flag, indicating potential malicious activity. This attack could disrupt the functioning of Public Key Infrastructure (PKI) systems, impacting authentication, and data integrity. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005)<br>- **MITRE attack technique**: [Indicator Removal (T1070)](https://attack.mitre.org/techniques/T1070/)- **MITRE attack subtechnique**: N/A<br>**Note**: Suspicious deletions of the certificate database entries alerts are only supported by Defender for Identity sensors on AD CS.</details>|Medium|2433|
 |<a name="suspicious-disable-of-audit-filters-of-ad-cs"></a><details><summary>Suspicious disable of audit filters of AD CS </summary><br>**Description**:<br>Disabling audit filters in AD CS can allow attackers to operate without being detected. This attack aims to evade security monitoring by disabling filters that would otherwise flag suspicious activities. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005 )<br>- **MITRE attack technique**: [Impair Defenses (T1562)](https://attack.mitre.org/techniques/T1562/)<br> - **MITRE attack subtechnique**: [Disable Windows Event Logging (T1562.002)](https://attack.mitre.org/techniques/T1562/002/)      </details>|Medium|2434|
 |<a name="directory-services-restore-mode-password-change"></a><details><summary>Directory Services Restore Mode Password Change </summary><br>**Description**:<br>Directory Services Restore Mode (DSRM) is a special boot mode in Microsoft Windows Server operating systems that allows an administrator to repair or restore the Active Directory database. This mode is typically used when there are issues with the Active Directory and normal booting isn't possible. The DSRM password is set during the promotion of a server to a domain controller. In this detection, an alert is triggered when Defender for Identity detects a DSRM password is changed. <br>We recommend investigating the source computer and the user who made the request to understand if the DSRM password change was initiated from a legitimate administrative action or if it raises concerns about unauthorized access or potential security threats. <br>**Learning period**: None<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Persistence (TA0003)](https://attack.mitre.org/tactics/TA0003)- **MITRE attack technique**: [Account Manipulation (T1098)](https://attack.mitre.org/techniques/T1098/)- **MITRE attack subtechnique**:  N/A       </details>|Medium|2438|
-|<a name="possible-okta-session-theft"></a><details><summary>Possible Okta session theft </summary><br>**Description**:<br>In session theft, attackers steal the cookies of legitimate user and use it from other locations. <br>We recommend investigating the source IP performing the operations to determine whether those operations are legitimate or not, and that the IP address is used by the user.<br><br>**Learning period**: 2 weeks<br><br>**MITRE**:<br> - **Primary MITRE tactic**: [Collection (TA0009)](https://attack.mitre.org/tactics/TA0009)- **MITRE attack technique**: [Browser Session Hijacking (T1185)](https://attack.mitre.org/techniques/T1185/)- **MITRE attack subtechnique**:  N/A       </details>|High||
 |<a name="group-policy-tampering"></a><details><summary>Group Policy Tampering </summary><br>**Description**:<br>A suspicious change has been detected in Group Policy, resulting in the deactivation of Windows Defender Antivirus. This activity may indicate a security breach by an attacker with elevated privileges who could be setting the stage for distributing ransomware.<br>**Suggested steps for investigation:**<br> - Understand if the GPO change is legitimate.<br> - If it wasn't, revert the change.<br> - Understand how the group policy is linked, to estimate its scope of impact.<br><br>**Learning period**: None<br><br>**MITRE**:<br>**Primary MITRE tactic**: [Defense Evasion (TA0005)](https://attack.mitre.org/tactics/TA0005)<br> - **MITRE attack technique**: [Subvert Trust Controls (T1553)](https://attack.mitre.org/techniques/T1553/)<br> - **MITRE attack subtechnique**: N/A</details>|Medium|2440|