Incomplete list of Alerts

[esatymn]

[Enter feedback here]

Greetings!

I have noticed that the list of alerts at this page is incomplete. A customer requested log details being sent to Sentinel or a SIEM to identify the correct alert names.

Will it be possible to add sample logs for the below (and perhaps more) missing alerts?

• Suspected exploitation attempt on Windows Print Spooler service (external ID 2415)
• Suspected NTLM relay attack (Exchange account) (external ID 2037)
• Suspected rogue Kerberos certificate usage (external ID 2047)
• Suspected SMB packet manipulation (CVE-2020-0796 exploitation) (external ID 2406)
• Exchange Server Remote Code Execution (CVE-2021-26855) (external ID 2414)
• Suspicious modification of a sAMNameAccount attribute (CVE-2021-42278 and CVE-2021-42287 exploitation) (external ID 2419)
• Suspected Netlogon privilege elevation attempt (CVE-2020-1472 exploitation) (external ID 2411)
• Suspected AS-REP Roasting attack (external ID 2412)
• Suspected Golden Ticket usage (ticket anomaly using RBCD) (external ID 2040)
• Suspicious edit of the Resource Based Constrained Delegation Attribute by a machine account (KrbRelayUp)
• Suspicious Kerberos delegation attempt using BronzeBit method (CVE-2020-17049 exploitation) (external ID 2048)

Regards

Document Details

⚠ Do not edit this section. It is required for learn.microsoft.com ➟ GitHub issue linking.

• ID: 4ff82a4d-1c0d-7d05-f383-78a5506dda02
• Version Independent ID: 02bd7bc8-76ca-2511-93cb-f3f3de46337d
• Content: SIEM log reference - Microsoft Defender for Identity
• Content Source: ATPDocs/cef-format-sa.md
• Service: microsoft-defender-for-identity
• GitHub Login: @batamig
• Microsoft Alias: bagol

[batamig]

@RonitLitinsky can you take a look at this item? Can we plan to update the docs for any of these?

[esatymn]

[heart] Esat Yaman reacted to your message:

…

________________________________ From: Batami Gold ***@***.***> Sent: Monday, March 25, 2024 7:25:49 PM To: MicrosoftDocs/ATADocs ***@***.***> Cc: Esat Yaman ***@***.***>; Author ***@***.***> Subject: Re: [MicrosoftDocs/ATADocs] Incomplete list of Alerts (Issue #682) @RonitLitinsky<https://github.com/RonitLitinsky> can you take a look at this item? Can we plan to update the docs for any of these? — Reply to this email directly, view it on GitHub<#682 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/BDQDBDVI6XUVUKYHAUD6RRLY2BT23AVCNFSM6AAAAABFHOCUYWVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMJYG42DOOBQGM>. You are receiving this because you authored the thread.Message ID: ***@***.***>