M365 Monitoring
Stay informed about what’s happening in your cloud environment. Understand how Attic monitors for suspicious activity.
Entra ID
- Guest Made Eligible for PIM Admin Role [RULE-1152]
- AITM Attack Detected via Suspicious User Agent Pattern [RULE-1150]
- Authentication Methods Modified for PIM-Eligible User [RULE-1149]
- Authentication Methods Modified [RULE-1148]
- Successful Sign-In Using FastHTTP User Agent [RULE-1147]
- AITM Attack Detected via Amazon Web Services Infrastructure [RULE-1146]
- AITM Attack Detected via Azure Infrastructure [RULE-1145]
- AITM Attack Detected via Known Phishing IP (didsomeoneclone.me) [RULE-1144]
- AITM Attack Detected via CloudFlare Infrastructure [RULE-1143]
- User Becomes Admin (PIM) [RULE-1142]
- User Added to Tier0 Role (non-PIM) [RULE-1141]
- User Added to Tier0 Role (PIM) [RULE-1140]
- New GDAP Relationship [RULE-1139]
- Guest Invite with High Privileges [RULE-1138]
- User Becomes Admin (Non-PIM) [RULE-1131]
- Emergency Access Account Used [RULE-1129]
- Sign-in Attempt with Disabled Account [RULE-1127]
- Guest Added to High Privilege Role [RULE-1123]
- MFA Exclusion Added [CHK-1154]
- Hidden Admin Roles in Entra ID [CHK-1160]
- Monitor Conditional Access Policies [CHK-1168]
- Guest Users with Administrative Rights [CHK-1131]
- Preventing Automatic Addition of Global Administrators to Local Administrators Group [CHK-1166]
- Minimize Local Administrators [CHK-1165]
- App Certificate Expiry Check [CHK-1163]
- App Secret Expires [CHK-1162]
- Python User-Agent Detected [RULE-1163]
- External User Added to Admin Role Outside PIM [RULE-1161]
- Suspicious Login (User Agent pattern) [RULE-1156]
- Suspicious Login (Empty User Agent) [RULE-1155]
- Maintaining Optimal Number of Global Admins in Microsoft 365 Tenant [CHK-1329]
- Log Monitoring [CHK-1111]
- Emergency Admin Account Check [CHK-1053]
- Suspicious Login (Threat Intelligence) [RULE-1154]
- Suspicious Login (Cloud Provider) [RULE-1151]
- AiTM Clone Detection and Mitigation [CHK-1102]
- Device code flow sign in on Tier0 account [RULE-1164]
- Suspicious country sign in on Tier0 account [RULE-1165]
- Admin started SSPR [RULE-1159/RULE-1160]
- Role Assignable Group Privilege Escalation [CHK-1180]
- Detection and Response to Potentially Harmful Apps [CHK-1176]
- Microsoft365 Portal Clone Detected [CHK-1158]
- New App-Consent by Admin Check [CHK-1138]
- Clone Detection [CHK-1109]
SharePoint
Exchange Online
- Transport Rule with Suspicious Keywords [RULE-1026]
- Transport Rule Forwards Email to External Domain [RULE-1024]
- Mailbox External Forwarding Detected [RULE-1023]
- Suspicious Keyword in Mailbox Rule [RULE-1022]
- New Email Forwarding Rule Detected [RULE-1020]
- Suspicious Mailbox Rules Detection [CHK-1071]
- Mailbox Forwarding Baseline Check [CHK-1070]
- Transport Rule Redirects Email [CHK-1068]
- Removing Exempted Mail Domains [CHK-1061]
- Mailbox Auditing Bypass Check [CHK-1055]
- Delegate Admins [CHK-1051]