acrolinx fix

Author: AbbyMSFT

ATPDocs/alerts-xdr.md

@@ -1,20 +1,20 @@
 ---
 title:  Microsoft Defender for Identity XDR security alerts
-description: This article provides a list of the sXDR ecurity alerts issued by Microsoft Defender for Identity.
+description: This article provides a list of the XDR security alerts issued by Microsoft Defender for Identity.
 ms.date: 07/29/2025
 ms.topic: reference
 ms.reviewer: rlitinsky
 ---
 
 # Microsoft Defender for Identity XDR alerts
 
-Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR.  All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists 
+Microsoft Defender for Identity alerts can appear in the Microsoft Defender XDR portal in two different formats depending on if the alert originates from Defender for Identity or Defender XDR. All alerts are based on detections from Defender for Identity sensors. The differences in layout and information are part of an ongoing transition to a unified alerting experience across Microsoft Defender products. This article lists 
 
 To learn more about how to understand the structure, and common components of all Defender for Identity security alerts, see [View and manage alerts](understanding-security-alerts.md).
 
 ## Microsoft Defender for Identity XDR alert categories
 
-Defender for Identity security alerts are categorized by their corresponding MITRE ATT&CK tactics. This makes it easier to understand the suspected attack technique potentially in use when a Defender for Identity alert is triggered. This page contains information on each alert, to help with your investigation and remediation tasks. This guide contains general information about the conditions for triggering alerts. However, it's important to note that since anomaly detections are nondeterministic by nature, they're only triggered when there's behavior that deviates from the norm.
+Defender for Identity security alerts are categorized by their corresponding MITRE ATT&CK tactics. This makes it easier to understand the suspected attack technique potentially in use when a Defender for Identity alert is triggered. This page contains information on each alert, to help with your investigation and remediation tasks. This guide contains general information about the conditions for triggering alerts. Note that anomaly-based alerts are only triggered when behavior significantly deviates from established baselines.
 
 * [Initial Access](#initial-access-alerts)
 * [Execution](#execution-alerts)
@@ -97,8 +97,8 @@ This section describes alerts indicating that a malicious actor might be attempt
 |<a name="as-rep-roasting"></a><details><summary>AS-REP roasting</summary><br>**Description**:<br><br>Multiple attempts to sign in without preauthentication were detected. This behavior might indicate an Authentication Server Response (AS-REP) roasting attack, which targets the Kerberos authentication protocol, specifically accounts that have turned off preauthentication.</details> | Medium | [T1558.004](https://attack.mitre.org/techniques/T1558/004) | xdr_AsrepRoastingAttack |
 |<a name="honeytoken-activity"></a><details><summary>Honeytoken Activity</summary><br>**Description**:<br><br>Honeytoken user attempted to sign in</details> | High | [T1098](https://attack.mitre.org/techniques/T1098) | xdr_HoneytokenSignInAttempt |
 |<a name="negoex-relay-attack"></a><details><summary>NEGOEX relay attack</summary><br>**Description**:<br><br>An attacker used NEGOEX to impersonate a server that a client wants to connect to so that the attacker can then relay the authentication process to any target. This allows the attacker to gain access to the target. NEGOEX is an authentication protocol designed to authenticate user accounts to Microsoft Entra joined devices.</details> | High | [T1187](https://attack.mitre.org/techniques/T1187), [T1557.001](https://attack.mitre.org/techniques/T1557/001) | xdr_NegoexRelayAttack |
-|<a name="okta-privileged-role-assigned-to-application"></a><details><summary>Okta privileged role assigned to application</summary><br>**Description**:<br><br>{ActorAliasName} assigned {RoleDisplayName} role to applictaion: {ApplicationDisplayName}</details> | High | [T1003.006](https://attack.mitre.org/techniques/T1003/006) | xdr_OktaPrivilegedRoleAssignedToApplication |
-|<a name="possible-as-rep-roasting-attack"></a><details><summary>Possible AS-REP roasting attack</summary><br>**Description**:<br><br>A suspicious Kerberos authentication request was made to accounts that do not require pre-authentication. An attacker might be performing an AS-REP roasting attack to steal passwords and gain further access into the network.</details> | Medium | [T1558.004](https://attack.mitre.org/techniques/T1558/004) | xdr_AsrepRoastingAttack |
+|<a name="okta-privileged-role-assigned-to-application"></a><details><summary>Okta privileged role assigned to application</summary><br>**Description**:<br><br>{ActorAliasName} assigned {RoleDisplayName} role to application: {ApplicationDisplayName}</details> | High | [T1003.006](https://attack.mitre.org/techniques/T1003/006) | xdr_OktaPrivilegedRoleAssignedToApplication |
+|<a name="possible-as-rep-roasting-attack"></a><details><summary>Possible AS-REP roasting attack</summary><br>**Description**:<br><br>A suspicious Kerberos authentication request was made to accounts that do not require preauthentication. An attacker might be performing an AS-REP roasting attack to steal passwords and gain further access into the network.</details> | Medium | [T1558.004](https://attack.mitre.org/techniques/T1558/004) | xdr_AsrepRoastingAttack |
 |<a name="possible-golden-saml-attack"></a><details><summary>Possible Golden SAML attack</summary><br>**Description**:<br><br>A privileged user account authenticated with characteristics that might be related to a Golden SAML attack.</details> | High | [T1071](https://attack.mitre.org/techniques/T1071), [T1606.002](https://attack.mitre.org/techniques/T1606/002) | xdr_PossibleGoldenSamlAttack |
 |<a name="possible-netsync-attack"></a><details><summary>Possible NetSync attack</summary><br>**Description**:<br><br>NetSync is a module in Mimikatz, a post-exploitation tool, that requests the password hash of a target device's password by pretending to be a domain controller. An attacker might be performing malicious activities inside the network using this feature to gain access to the organization's resources.</details> | High | [T1003.006](https://attack.mitre.org/techniques/T1003/006) | xdr_PossibleNetsyncAttack |
 |<a name="possible-account-secret-leak"></a><details><summary>Possible account secret leak</summary><br>**Description**:<br><br>A failed attempt to sign in to a user account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The user account's credentials might have been leaked or are in the possession of an unauthorized party.</details> | Medium | [T1078](https://attack.mitre.org/techniques/T1078) | xdr_CredentialStuffingToolObserved |
@@ -108,12 +108,12 @@ This section describes alerts indicating that a malicious actor might be attempt
 |<a name="possible-service-principal-account-secret-leak"></a><details><summary>Possible service principal account secret leak</summary><br>**Description**:<br><br>A failed attempt to sign in to a service principal account by a credential stuffing tool was detected. The error code indicates that the secret was valid but misused. The service principal account's credentials might have been leaked or are in the possession of an unauthorized party.</details> | Medium | [T1078](https://attack.mitre.org/techniques/T1078) | xdr_CredentialStuffingToolObserved |
 |<a name="possibly-compromised-service-principal-account-signed-in"></a><details><summary>Possibly compromised service principal account signed in</summary><br>**Description**:<br><br>A possibly compromised service principal account signed in. A credential stuffing attempt was successfully authenticated, indicating that the service principal account's credentials might have been leaked or are in the possession of an unauthorized party.</details> | Medium | [T1078](https://attack.mitre.org/techniques/T1078) | xdr_CredentialStuffingToolObserved |
 |<a name="possibly-compromised-user-account-signed-in"></a><details><summary>Possibly compromised user account signed in</summary><br>**Description**:<br><br>A possibly compromised user account signed in. A credential stuffing attempt was successfully authenticated, indicating that the user account's credentials might have been leaked or are in the possession of an unauthorized party.</details> | Medium | [T1078](https://attack.mitre.org/techniques/T1078) | xdr_CredentialStuffingToolObserved |
-|<a name="suspicious-dmsa-related-activity-detected"></a><details><summary>Suspicious DMSA related activity detected</summary><br>**Description**:<br><br>A suspicious DMSA related activity was detected. This may indicate a compromised managed account or an attempt to exploit an DMSA account.</details> | High | [T1555](https://attack.mitre.org/techniques/T1555) | xdr_SuspiciousDmsaAction |
+|<a name="suspicious-dmsa-related-activity-detected"></a><details><summary>Suspicious DMSA related activity detected</summary><br>**Description**:<br><br>A suspicious DMSA related activity was detected. This may indicate a compromised managed account or an attempt to exploit a DMSA account.</details> | High | [T1555](https://attack.mitre.org/techniques/T1555) | xdr_SuspiciousDmsaAction |
 |<a name="suspicious-golden-gmsa-related-activity"></a><details><summary>Suspicious Golden gMSA related activity</summary><br>**Description**:<br><br>A suspicious read activity was made to sensitive group Managed Service Account (gMSA) objects, which could be associated with a threat actor trying to leverage the Golden gMSA attack.</details> | High | [T1555](https://attack.mitre.org/techniques/T1555) | xdr_SuspiciousGoldenGmsaActivity |
 |<a name="suspicious-kerberos-authentication-ap-req"></a><details><summary>Suspicious Kerberos authentication (AP-REQ)</summary><br>**Description**:<br><br>A suspicious Kerberos application request (AP-REQ) was detected. An attacker might be using stolen credentials of a service account to attempt a silver ticket attack. In this kind of attack, an attacker forges a service ticket (Ticket Granting Service or TGS) for a specific service within a network, which allows the attacker to access that service without needing to interact with the domain controller after the initial compromise.</details> | High | [T1558](https://attack.mitre.org/techniques/T1558), [T1558.002](https://attack.mitre.org/techniques/T1558/002) | xdr_SuspiciousKerberosApReq |
 |<a name="suspicious-kerberos-authentication-as-req"></a><details><summary>Suspicious Kerberos authentication (AS-REQ)</summary><br>**Description**:<br><br>A suspicious Kerberos authentication request (AS-REQ) for a ticket-granting ticket (TGT) was observed. This anomalous TGT request is suspected to have been specially crafted by an attacker. The attacker might be using stolen credentials to leverage this attack.</details> | Medium | [T1550](https://attack.mitre.org/techniques/T1550), [T1558](https://attack.mitre.org/techniques/T1558) | xdr_SusKerberosAuth_AsReq |
 |<a name="suspicious-kerberos-authentication-tgt-request-using-tgs-req"></a><details><summary>Suspicious Kerberos authentication (TGT request using TGS-REQ)</summary><br>**Description**:<br><br>A suspicious Kerberos ticket-granting service request (TGS-REQ) involving the Service for User to Self (S4U2self) extension was observed. This anomalous TGS request is suspected to have been specially crafted by an attacker.</details> | Medium | [T1550](https://attack.mitre.org/techniques/T1550), [T1558](https://attack.mitre.org/techniques/T1558) | xdr_SusKerberosAuth_S4U2selfTgsReq |
-|<a name="suspicious-creation-of-esxi-group"></a><details><summary>Suspicious creation of ESXi group</summary><br>**Description**:<br><br>A suspicious VMWare ESXi group was created in the domain. This might indicate that an attacker is trying to get more permissions for later steps in an attack.</details> | High | [T1098](https://attack.mitre.org/techniques/T1098) | xdr_SuspiciousUserAdditionToEsxGroup |
+|<a name="suspicious-creation-of-esxi-group"></a><details><summary>Suspicious creation of ESXi group</summary><br>**Description**:<br><br>A suspicious VMware ESXi group was created in the domain. This might indicate that an attacker is trying to get more permissions for later steps in an attack.</details> | High | [T1098](https://attack.mitre.org/techniques/T1098) | xdr_SuspiciousUserAdditionToEsxGroup |
 
 ## Discovery alerts